CVE-2026-24767: Headless Horseman: NocoDB Blind SSRF via Premature HEAD Requests

Headless Horseman: NocoDB Blind SSRF via Premature HEAD Requests

Vulnerability ID: CVE-2026-24767
CVSS Score: 4.9
Published: 2026-01-28

A blind Server-Side Request Forgery (SSRF) vulnerability in NocoDB allows authenticated users to force the server to ping internal network resources. The flaw lies in the uploadViaURL feature, which validates the target URL only after performing an initial HTTP HEAD request to fetch file metadata. This architectural hiccup allows attackers to map internal infrastructure or interact with cloud metadata services before security controls kick in.

TL;DR

NocoDB checked file metadata (HEAD) before checking if the URL was safe (Validation). Attackers can abuse this to make the server ping internal IPs and cloud metadata endpoints. Fixed in v0.301.0.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-918 (SSRF)
• Attack Vector: Network
• CVSS: 4.9 (Medium)
• Impact: Internal Reconnaissance
• Exploit Status: PoC Available
• Platform: Node.js / Vue

Affected Systems

• NocoDB < 0.301.0
• NocoDB: < 0.301.0 (Fixed in: 0.301.0)

Code Analysis

Commit: 656e76b

Fix: SSRF validation logic order in storage upload

Diff shows moving isValidUrl checks before axios.head calls.

Exploit Details

• GitHub Security Advisory: Advisory detailing the Blind SSRF in uploadViaURL.

Mitigation Strategies

• Upgrade to version 0.301.0 immediately.
• Implement Egress Filtering to block access to private IP ranges.
• Block access to Cloud Metadata IPs (169.254.169.254) at the network level.

Remediation Steps:

1. Pull the latest docker image: docker pull nocodb/nocodb:0.301.0.
2. Restart the NocoDB container/service.
3. Verify the fix by attempting to upload a file from a local IP (e.g., 127.0.0.1).

References

• GHSA-xr7v-j379-34v9: Blind SSRF in NocoDB

---

Read the full report for CVE-2026-24767 on our website for more details including interactive diagrams and full exploit analysis.