CVE-2026-24767

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24767

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24767.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-24767

Aliases

GHSA-xr7v-j379-34v9

Published

2026-01-28T20:29:29.868Z

Modified

2026-01-29T19:35:31.165272Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality

Details

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the uploadViaURL functionality due to an unprotected HEAD request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. Version 0.301.0 contains a patch for the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24767.json",
    "cwe_ids": [
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/nocodb/nocodb

Affected ranges

Type

GIT

Repo

https://github.com/nocodb/nocodb

Events

Introduced

Fixed

046ea02f97485a2da7b98d1f0f9737bada5981b9

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.301.0"
        }
    ]
}

Affected versions

0.*

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.100.0

0.100.1

0.100.2

0.101.0

0.101.0-beta.0

0.101.2

0.104.1

0.104.2

0.104.3

0.105.0

0.105.1

0.105.2

0.105.3

0.106.0

0.106.0-beta.0

0.106.0-beta.1

0.106.1

0.107.0

0.107.0-beta.0

0.107.0-beta.1

0.107.1

0.107.2

0.107.3

0.107.4

0.107.5

0.108.0

0.108.0-beta.0

0.108.1

0.109.0

0.109.1

0.109.2

0.109.3

0.109.4

0.109.5

0.109.6

0.109.7

0.11.0

0.11.1

0.11.10

0.11.11

0.11.12

0.11.14

0.11.15

0.11.16

0.11.17

0.11.18

0.11.19

0.11.20

0.11.21

0.11.22

0.11.23

0.11.24

0.11.25

0.11.26

0.11.28

0.11.29

0.11.3

0.11.30

0.11.31

0.11.32

0.11.33

0.11.34

0.11.36

0.11.39

0.11.4

0.11.40

0.11.41

0.11.42

0.11.43

0.11.44

0.11.45

0.11.46

0.11.5

0.11.6

0.11.7

0.11.9

0.111.0

0.111.1

0.111.2

0.111.3

0.111.4

0.200.0

0.202.0

0.202.10

0.202.4

0.202.5

0.202.6

0.202.7

0.202.8

0.202.9

0.203.0

0.203.1

0.203.2

0.204.0

0.204.1

0.204.2

0.204.3

0.204.4

0.204.5

0.204.6

0.204.7

0.204.8

0.204.9

0.205.0

0.205.1

0.207.0

0.207.1

0.207.2

0.207.3

0.250.0

0.250.1

0.250.2

0.251.0

0.251.1

0.251.2

0.251.3

0.252.0

0.253.0

0.255.0

0.255.1

0.255.2

0.256.0

0.257.0

0.257.2

0.258.0

0.258.1

0.258.10

0.258.11

0.258.2

0.258.3

0.260.0

0.260.1

0.260.2

0.260.3

0.260.4

0.260.5

0.260.6

0.260.7

0.261.0

0.262.0

0.262.1

0.262.2

0.262.3

0.262.4

0.262.5

0.263.0

0.263.1

0.263.2

0.263.3

0.263.4

0.263.6

0.263.7

0.263.8

0.264.0

0.264.1

0.264.2

0.264.3

0.264.4

0.264.6

0.264.7

0.264.8

0.264.9

0.265.0

0.265.1

0.300.0

0.4.5

0.4.8

0.4.9

0.80.0

0.81.0

0.81.1

0.82.0

0.83.0

0.83.1

0.83.2

0.83.3

0.83.4

0.83.5

0.83.6

0.83.8

0.84.1

0.84.10

0.84.12

0.84.13

0.84.14

0.84.15

0.84.16

0.84.2

0.84.3

0.84.6

0.84.7

0.84.8

0.84.9

0.9

0.90.0

0.90.1

0.90.10

0.90.11

0.90.2

0.90.3

0.90.4

0.90.5

0.90.7

0.90.8

0.90.9

0.91.0

0.91.1

0.91.10

0.91.6

0.91.7

0.91.8

0.91.9

0.92.0

0.92.1

0.92.2

0.92.3

0.92.4

0.96.0

0.96.1

0.96.2

0.96.4

0.97.0

0.98.1

0.98.2

0.98.3

0.98.4

0.99.0

0.99.1

0.99.2

v0.*

v0.10.0

v0.4.2

v0.4.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24767.json"