CVE-2026-24767

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.301.0

Description A Server-Side Request Forgery (SSRF) issue exists in the uploadViaURL functionality due to an unprotected HEAD request. The initial metadata request executes without validation, allowing limited outbound requests to arbitrary URLs before SSRF controls are applied. The uploadViaURL() function uses axios.head() to retrieve metadata without SSRF filtering. This request is performed before SSRF protections are enforced. The impact is limited as only HEAD requests are affected, and no direct exfiltration of response data occurs. However, it may allow blind SSRF via outbound HEAD requests, limited internal service probing, and interaction with sensitive internal endpoints that respond to HEAD requests. The issue does not provide arbitrary data access or full internal network compromise on its own. A proof of concept involves sending a POST request to the /api/v2/storage/upload-by-url endpoint with a malicious URL in the url parameter.

Recommendations Versions prior to 0.301.0 should be updated to version 0.301.0 or later.