CVE-2026-24767

Medium CVSS: 4.9

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. Version 0.301.0 contains a patch for the issue.

Vendor

Nocodb

Product

Nocodb

CWE

CWE-918

Yayın Tarihi

2026-01-28 21:16:12

Güncelleme

2026-02-04 20:05:20

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-918 Nocodb MEDIUM Nocodb 2026

Referanslar

https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9 https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9

Benzer Kayıtlar

Medium

CVE-2026-28399

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator…

Medium

CVE-2026-28401

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via…

Medium

CVE-2026-28359

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor r…

Low

CVE-2026-28360

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored i…

Medium

CVE-2026-28361

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not valid…

Medium

CVE-2026-28396

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not rev…