Server-Side Request Forgery (SSRF) in NocoDB - CVE-2026-24767
Published: April 27, 2026
Vulnerability identifier: #VU127978
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-24767
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: nocodb
Affected software:
NocoDB
NocoDB
Detailed vulnerability description
The vulnerability allows a remote user to perform blind server-side requests to arbitrary URLs.
The vulnerability exists due to server-side request forgery in uploadViaURL() when issuing an unvalidated HEAD request for attacker-controlled URLs. A remote user can send a specially crafted request to perform blind server-side requests to arbitrary URLs.
Only HEAD requests are affected, so no response body is returned, but internal service reachability and response behavior may still be probed.
How to mitigate CVE-2026-24767
Install security update from vendor's website.