Which versions of Apiflow are affected by CVE-2026-4528?

An unauthenticated Server-Side Request Forgery vulnerability in trueleaf ApiFlow 0.9.7 allows attackers to hijack server requests and access internal resources without a patch currently available.

Is there a public PoC exploit available for CVE-2026-4528?

Yes, a public proof-of-concept exploit is available for CVE-2026-4528. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-4528?

Within 24 hours: Inventory all systems running trueleaf ApiFlow 0.9.7 and assess their exposure to untrusted networks; immediately implement network segmentation or WAF rules to restrict access to the validateUrlSecurity endpoint. Within 7 days: Deploy compensating controls including URL allowlisting, egress filtering to block internal IP ranges, and enhanced logging on affected systems; evaluate feasibility of upgrading to a patched version or alternative product. Within 30 days: Complete migration away from version 0.9.7 to a patched release or decommission the affected component; conduct a security audit of any internal resources accessed during the vulnerability window.

Apiflow CVE-2026-4528

Q: What is the CVSS score of CVE-2026-4528?

CVE-2026-4528 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-14258 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-03-21 VulDB

GHSA-29mf-95fh-hwxf

SSRF Apiflow

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

Severity Changed

Apr 24, 2026 - 16:37 NVD

HIGH MEDIUM

CVSS changed

Apr 24, 2026 - 16:37 NVD

7.3 (HIGH) 6.9 (MEDIUM)

PoC Detected

Mar 23, 2026 - 14:31 vuln.today

Public exploit code

EUVD ID Assigned

Mar 21, 2026 - 22:15 euvd

EUVD-2026-14258

Analysis Generated

Mar 21, 2026 - 22:15 vuln.today

CVE Published

Mar 21, 2026 - 22:02 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability was determined in trueleaf ApiFlow 0.9.7. The impacted element is the function validateUrlSecurity of the file packages/server/src/service/proxy/http_proxy.service.ts of the component URL Validation Handler. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

A Server-Side Request Forgery (SSRF) vulnerability exists in the validateUrlSecurity function within trueleaf ApiFlow version 0.9.7's URL validation handler. This flaw allows unauthenticated remote attackers to manipulate server-side requests to access internal resources or perform actions on behalf of the server. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious URL with internal target

Delivery

Send request to validateUrlSecurity function

Exploit

Bypass URL validation checks

Execution

Execute server-side request to internal resource

Impact

Access sensitive data or internal services