Home > Vulnerability Database > CVE-2026-24767

Mend.io Vulnerability Database

CVE-2026-24767

Good to know:

Date: January 28, 2026

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the "uploadViaURL" functionality due to an unprotected "HEAD" request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. Version 0.301.0 contains a patch for the issue.

Severity Score

4.9

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24767

Url: https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9

Url: https://github.com/nocodb/nocodb

Url: https://www.mend.io/vulnerability-database/CVE-2026-24767

Severity Score

4.9

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version nocodb - 0.301.0

Learn More

CVSS v3.1

Base Score:	4.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24767

Good to know:

Date: January 28, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?