Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A Server-Side Request Forgery (SSRF) vulnerability in the custom process creation feature of linqi allows an authenticated attacker to probe internal network components. By crafting a specific process containing an HTTP Request component, an attacker can force the server to send arbitrary HTTP requests. By observing the varying application responses (Success, Failed, or 504 Gateway Time-out), the attacker can determine the status of internal ports, leading to internal network reconnaissance.
AnalysisAI
Server-side request forgery in linqi's custom process creation feature allows authenticated attackers to conduct internal network reconnaissance by forcing the server to issue arbitrary outbound HTTP requests. Affected product is linqi by linqi GmbH (all versions per CPE cpe:2.3:a:linqi_gmbh:linqi:*). By embedding a crafted HTTP Request component inside a custom workflow process, the attacker can enumerate internal hosts and open ports through differential response analysis (Success, Failed, or 504 Gateway Time-out). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
CWE-918 (Server-Side Request Forgery) arises when an application fetches a remote resource based on attacker-supplied input without adequate validation of the target URL. In linqi, the 'custom process creation' feature allows users to compose workflows containing an HTTP Request component - a server-side action that the application executes on behalf of the user. Because the target URL for this component is attacker-controlled and the server does not restrict it to external, allow-listed destinations, the attacker can redirect requests to internal RFC-1918 addresses or loopback interfaces. The observable differences in application-level responses (success vs. failure vs. timeout) function as a side-channel oracle, enabling port and host enumeration. The CPE string cpe:2.3:a:linqi_gmbh:linqi:*:*:*:*:*:*:*:* indicates the vendor has not bounded the affected version range, impling all current releases are potentially vulnerable.
RemediationAI
Consult the vendor's security advisory at https://linqi.help/en/reference/security/security-advisories/#security-advisory-server-side-request-forgery-ssrf-allowing-internal-network-probing for patch guidance; a fix version was not independently confirmed from the provided input data, so 'patch available per vendor advisory' is the current status. As a compensating control, enforce an egress allowlist on the linqi application server so that outbound HTTP connections from the process execution engine are restricted to approved external destinations only - this prevents SSRF pivoting to internal network ranges and cloud metadata endpoints (e.g., 169.254.169.254). Additionally, apply network segmentation so the linqi server cannot reach sensitive internal services; this reduces the reconnaissance value of the SSRF channel without requiring application-layer changes. Restricting access to the custom process creation feature to trusted administrative roles reduces exposure if role-based access controls permit such granularity. Note that blocking metadata endpoints via host-based firewall rules may interfere with legitimate cloud provider integrations if the application relies on instance metadata.
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
Cryptographic weaknesses in the linqi application (versions ≤1.4.8.5) allow local attackers with low-level privileges to
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated high severity (CVSS 7.5), this vulnerability is remote
Cross-tenant comment access in linqi BPM platform versions through 1.4.8.5 allows any authenticated user to read and wri
Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the Val
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 5.9), this vulnerability is no a
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 5.5), this vulnerability is remo
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated medium severity (CVSS 4.8), this vulnerability is low
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34825
GHSA-c7cw-qcqw-c783