Skip to main content

Laravel-Mediable CVE-2026-49969

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-13 VulnCheck
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.5 HIGH

Network-exploitable with low privileges; scope change because SSRF reaches external systems; high confidentiality impact reflects IAM credential exfiltration from cloud metadata endpoints.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:45 vuln.today
Analysis Generated
Jul 13, 2026 - 19:45 vuln.today

DescriptionCVE.org

Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource(). Attackers can craft URLs targeting RFC-1918 addresses, loopback interfaces, cloud metadata endpoints, or file:// URIs through RemoteUrlAdapter to reach internal infrastructure, retrieve sensitive files, and exfiltrate cloud credentials such as IAM tokens from instance metadata services.

AnalysisAI

Server-side request forgery in Laravel-Mediable before 7.0.0 enables network-accessible, low-privilege attackers to issue arbitrary HTTP requests originating from the server by supplying unvalidated URLs to any application endpoint backed by MediaUploader::fromSource(). The RemoteUrlAdapter class accepts caller-controlled URLs without restricting schemes, IP ranges, or hostnames, allowing requests to RFC-1918 addresses, loopback interfaces, file:// URIs, and cloud instance metadata endpoints such as AWS IMDSv1 at 169.254.169.254. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Laravel application
Delivery
Submit crafted internal URL to media upload endpoint
Exploit
RemoteUrlAdapter fetches URL without validation
Execution
Server reaches cloud metadata endpoint or internal host
Persist
Retrieve IAM credentials or sensitive internal data
Impact
Escalate privileges within cloud environment

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application exposes at least one endpoint that accepts user-supplied URLs and processes them through MediaUploader::fromSource() using RemoteUrlAdapter - this is an explicit application integration, not a default-enabled behavior of the package itself. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) reflects a network-exploitable, low-complexity attack requiring low-privilege application access with no user interaction - a realistic threat model for any multi-user Laravel application. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user on a Laravel application (e.g., a registered account) submits a crafted media import request with a URL such as http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role to an endpoint wired to MediaUploader::fromSource(). The application server fetches the URL via RemoteUrlAdapter without restriction, receives the AWS IAM temporary credentials JSON response, and the attacker reads the returned content to obtain AccessKeyId, SecretAccessKey, and SessionToken. …
Remediation Upgrade to Laravel-Mediable 7.0.0 immediately - the vendor designates this a security release and strongly recommends upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy