Laravel-Mediable
CVE-2026-49969
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-exploitable with low privileges; scope change because SSRF reaches external systems; high confidentiality impact reflects IAM credential exfiltration from cloud metadata endpoints.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource(). Attackers can craft URLs targeting RFC-1918 addresses, loopback interfaces, cloud metadata endpoints, or file:// URIs through RemoteUrlAdapter to reach internal infrastructure, retrieve sensitive files, and exfiltrate cloud credentials such as IAM tokens from instance metadata services.
AnalysisAI
Server-side request forgery in Laravel-Mediable before 7.0.0 enables network-accessible, low-privilege attackers to issue arbitrary HTTP requests originating from the server by supplying unvalidated URLs to any application endpoint backed by MediaUploader::fromSource(). The RemoteUrlAdapter class accepts caller-controlled URLs without restricting schemes, IP ranges, or hostnames, allowing requests to RFC-1918 addresses, loopback interfaces, file:// URIs, and cloud instance metadata endpoints such as AWS IMDSv1 at 169.254.169.254. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application exposes at least one endpoint that accepts user-supplied URLs and processes them through MediaUploader::fromSource() using RemoteUrlAdapter - this is an explicit application integration, not a default-enabled behavior of the package itself. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) reflects a network-exploitable, low-complexity attack requiring low-privilege application access with no user interaction - a realistic threat model for any multi-user Laravel application. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user on a Laravel application (e.g., a registered account) submits a crafted media import request with a URL such as http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role to an endpoint wired to MediaUploader::fromSource(). The application server fetches the URL via RemoteUrlAdapter without restriction, receives the AWS IAM temporary credentials JSON response, and the attacker reads the returned content to obtain AccessKeyId, SecretAccessKey, and SessionToken. … |
| Remediation | Upgrade to Laravel-Mediable 7.0.0 immediately - the vendor designates this a security release and strongly recommends upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Laravel Mediable
View allArbitrary file write in the Plank Laravel-Mediable package (before 7.0.0) lets an attacker who influences the destinatio
Remote code execution in the plank/laravel-mediable package before 7.0.0 lets attackers upload a double-extension file s
Stored XSS in Laravel-Mediable before 7.0.0 allows network-accessible, unauthenticated attackers to persist malicious Ja
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today