CVE-2026-24767 Overview
NocoDB, an open-source platform for building databases as spreadsheets, contains a blind Server-Side Request Forgery (SSRF) vulnerability in its uploadViaURL functionality. Prior to version 0.301.0, the application fails to validate the initial HEAD request when processing URL-based file uploads, allowing authenticated attackers to make limited outbound requests to arbitrary URLs before SSRF protections are enforced.
Critical Impact
Authenticated attackers can bypass SSRF protections during the initial metadata request phase, potentially enabling internal network reconnaissance or interaction with internal services.
Affected Products
- NocoDB versions prior to 0.301.0
Discovery Timeline
- 2026-01-28 - CVE CVE-2026-24767 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24767
Vulnerability Analysis
This vulnerability is classified under CWE-918 (Server-Side Request Forgery). The flaw exists in the uploadViaURL feature, which allows users to upload files by providing a URL. While NocoDB implements SSRF protections for the actual file retrieval operation, the initial HEAD request used to gather file metadata executes without any validation or filtering.
This creates a race condition in the security controls where the metadata gathering phase operates in an unprotected state. An attacker with low-level privileges can craft malicious URLs targeting internal network resources, cloud metadata endpoints, or other sensitive internal services. Although the vulnerability is blind (the attacker does not receive the response content), the ability to trigger outbound requests to arbitrary destinations poses significant risks.
The attack requires network access and authenticated user privileges, with low attack complexity once those prerequisites are met. The changed scope indicates the vulnerability can affect resources beyond the vulnerable component's security boundary.
Root Cause
The root cause is the absence of URL validation and SSRF filtering on the initial HEAD request in the uploadViaURL functionality. The developers implemented SSRF protections for the subsequent file retrieval logic but overlooked applying the same controls to the metadata request that precedes it.
Attack Vector
The attack is network-based, requiring an authenticated user to submit a crafted URL through the uploadViaURL feature. The attacker constructs a URL pointing to an internal resource (such as http://169.254.169.254/ for cloud metadata services or internal IP addresses). When the application processes this URL, it issues an unprotected HEAD request to the target, potentially revealing service availability through timing analysis or triggering actions on internal services that respond to HEAD requests.
The vulnerability allows limited outbound requests before the SSRF controls are applied, making it a "time-of-check to time-of-use" style vulnerability where the security validation occurs too late in the request processing pipeline.
Detection Methods for CVE-2026-24767
Indicators of Compromise
- Unusual outbound HEAD requests originating from the NocoDB server to internal IP ranges or cloud metadata endpoints
- Application logs showing uploadViaURL requests with URLs targeting internal network resources (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254)
- Network traffic from the NocoDB server to unexpected internal services or known SSRF target endpoints
Detection Strategies
- Monitor egress traffic from NocoDB servers for requests to internal IP ranges or localhost addresses
- Implement web application firewall (WAF) rules to detect and block common SSRF payload patterns in URL parameters
- Review application logs for uploadViaURL endpoint usage with suspicious URL patterns
- Deploy network segmentation monitoring to detect lateral movement attempts from the NocoDB server
Monitoring Recommendations
- Enable detailed logging for all uploadViaURL requests including the target URLs
- Configure alerting for outbound connections from the NocoDB server to internal network segments
- Monitor for timing-based reconnaissance patterns where multiple HEAD requests are made to sequential internal IP addresses
How to Mitigate CVE-2026-24767
Immediate Actions Required
- Upgrade NocoDB to version 0.301.0 or later immediately
- Review application logs for evidence of exploitation attempts targeting the uploadViaURL endpoint
- Implement network-level egress filtering to restrict outbound requests from the NocoDB server to approved destinations only
Patch Information
NocoDB version 0.301.0 contains a patch that addresses this vulnerability by applying SSRF validation to the initial HEAD request in the uploadViaURL functionality. Organizations should upgrade to this version or later as soon as possible. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Implement network-level egress filtering to block outbound requests from the NocoDB server to internal network ranges and cloud metadata endpoints
- Deploy a reverse proxy or WAF in front of NocoDB to validate and sanitize URLs submitted to the uploadViaURL endpoint
- Restrict access to the uploadViaURL functionality to trusted users only until the patch can be applied
- Segment the NocoDB server network to limit the potential impact of SSRF attacks
# Example: iptables egress filtering to block common SSRF targets
# Block requests to internal networks and cloud metadata endpoints
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
