Skip to main content

linqi CVE-2026-11346

| EUVDEUVD-2026-34825 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-05 linqi GHSA-c7cw-qcqw-c783
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 05, 2026 - 13:01 EUVD
Analysis Generated
Jun 05, 2026 - 12:28 vuln.today
CVSS changed
Jun 05, 2026 - 12:22 NVD
5.3 (MEDIUM)

DescriptionCVE.org

A Server-Side Request Forgery (SSRF) vulnerability in the custom process creation feature of linqi allows an authenticated attacker to probe internal network components. By crafting a specific process containing an HTTP Request component, an attacker can force the server to send arbitrary HTTP requests. By observing the varying application responses (Success, Failed, or 504 Gateway Time-out), the attacker can determine the status of internal ports, leading to internal network reconnaissance.

AnalysisAI

Server-side request forgery in linqi's custom process creation feature allows authenticated attackers to conduct internal network reconnaissance by forcing the server to issue arbitrary outbound HTTP requests. Affected product is linqi by linqi GmbH (all versions per CPE cpe:2.3:a:linqi_gmbh:linqi:*). By embedding a crafted HTTP Request component inside a custom workflow process, the attacker can enumerate internal hosts and open ports through differential response analysis (Success, Failed, or 504 Gateway Time-out). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

CWE-918 (Server-Side Request Forgery) arises when an application fetches a remote resource based on attacker-supplied input without adequate validation of the target URL. In linqi, the 'custom process creation' feature allows users to compose workflows containing an HTTP Request component - a server-side action that the application executes on behalf of the user. Because the target URL for this component is attacker-controlled and the server does not restrict it to external, allow-listed destinations, the attacker can redirect requests to internal RFC-1918 addresses or loopback interfaces. The observable differences in application-level responses (success vs. failure vs. timeout) function as a side-channel oracle, enabling port and host enumeration. The CPE string cpe:2.3:a:linqi_gmbh:linqi:*:*:*:*:*:*:*:* indicates the vendor has not bounded the affected version range, impling all current releases are potentially vulnerable.

RemediationAI

Consult the vendor's security advisory at https://linqi.help/en/reference/security/security-advisories/#security-advisory-server-side-request-forgery-ssrf-allowing-internal-network-probing for patch guidance; a fix version was not independently confirmed from the provided input data, so 'patch available per vendor advisory' is the current status. As a compensating control, enforce an egress allowlist on the linqi application server so that outbound HTTP connections from the process execution engine are restricted to approved external destinations only - this prevents SSRF pivoting to internal network ranges and cloud metadata endpoints (e.g., 169.254.169.254). Additionally, apply network segmentation so the linqi server cannot reach sensitive internal services; this reduces the reconnaissance value of the SSRF channel without requiring application-layer changes. Restricting access to the custom process creation feature to trusted administrative roles reduces exposure if role-based access controls permit such granularity. Note that blocking metadata endpoints via host-based firewall rules may interfere with legitimate cloud provider integrations if the application relies on instance metadata.

Share

CVE-2026-11346 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy