CVE-2026-24767: NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality

January 28, 2026

A blind Server-Side Request Forgery (SSRF) vulnerability exists in the uploadViaURL functionality due to an unprotected HEAD request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation.

This allows limited outbound requests to arbitrary URLs before SSRF controls are applied.

References

github.com/advisories/GHSA-xr7v-j379-34v9
github.com/nocodb/nocodb
github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9
nvd.nist.gov/vuln/detail/CVE-2026-24767

Code Behaviors & Features

Detect and mitigate CVE-2026-24767 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →