Skip to main content

M Files Server CVE-2026-0932

| EUVDEUVD-2026-17865 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-01 M-Files Corporation GHSA-jm9p-6v87-5wr3
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
26.3.15818.5
EUVD ID Assigned
Apr 01, 2026 - 10:45 euvd
EUVD-2026-17865
Analysis Generated
Apr 01, 2026 - 10:45 vuln.today
CVE Published
Apr 01, 2026 - 10:03 nvd
MEDIUM 6.9

DescriptionCVE.org

Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.

AnalysisAI

Blind server-side request forgery in M-Files Server before version 26.3 allows unauthenticated remote attackers to force the server to send HTTP GET requests to arbitrary URLs through legacy connection methods in document co-authoring features. This vulnerability enables attackers to probe internal networks, access internal services, or trigger downstream attacks without requiring authentication, with a CVSS score of 6.9 reflecting moderate real-world impact.

Technical ContextAI

Server-side request forgery (SSRF) vulnerabilities, classified under CWE-918, occur when an application fetches remote resources based on user-supplied input without proper validation. In this case, the M-Files Server's legacy connection methods for document co-authoring fail to sanitize or restrict HTTP GET request destinations. The 'blind' variant means the attacker cannot directly observe the response from the forged request, but can still trigger server-side actions and infer results through timing, error messages, or side effects. The vulnerability exists in M-Files Server (CPE: cpe:2.3:a:m-files_corporation:m-files_server), a document collaboration platform, affecting all versions before 26.3.

RemediationAI

Vendor-released patch: M-Files Server 26.3 or later. Organizations should immediately upgrade to version 26.3 or higher to remediate the blind SSRF in legacy connection methods. The patch addresses the input validation defect in document co-authoring connection handling. For organizations unable to patch immediately, network segmentation should be implemented to restrict M-Files Server's outbound HTTP access to only necessary external destinations, and internal network services should require authentication to prevent unauthorized access via forged requests. Detailed remediation guidance and patch availability are documented in the vendor advisories at https://empower.m-files.com/security-advisories/CVE-2026-0932 and https://product.m-files.com/security-advisories/cve-2026-0932/.

CVE-2023-6912 CRITICAL
9.8 Dec 20

Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authe

CVE-2024-10127 CRITICAL
9.2 Nov 20

Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLD

CVE-2023-6239 HIGH
8.8 Nov 28

Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specif

CVE-2024-6789 HIGH
8.4 Aug 27

A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 2

CVE-2023-2112 HIGH
7.8 Apr 20

Desktop component service allows lateral movement between sessions in M-Files before 23.4.12455.0. Rated high severity (

CVE-2024-4056 HIGH
7.5 Apr 26

Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allow

CVE-2023-6117 HIGH
7.5 Nov 22

A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API me

CVE-2023-3405 HIGH
7.5 Jun 27

Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonym

CVE-2023-0384 HIGH
7.5 Apr 20

User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolle

CVE-2023-0383 HIGH
7.5 Apr 20

User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolle

CVE-2022-4858 HIGH
7.5 Dec 30

Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive

CVE-2026-0983 HIGH
7.1 May 18

Denial of service in M-Files Server versions prior to 26.5.16015.0, 26.2 LTS, and 25.8 LTS SR3 allows an authenticated r

Share

CVE-2026-0932 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy