Skip to main content

Microsoft CVE-2026-5131

| EUVDEUVD-2026-23409 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-17 CERT-PL GHSA-f2cg-3cww-mcq8
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 17, 2026 - 15:07 nvd
Patch available
Patch available
Apr 17, 2026 - 12:01 EUVD
Analysis Generated
Apr 17, 2026 - 11:26 vuln.today
CVSS changed
Apr 17, 2026 - 11:22 NVD
6.9 (MEDIUM)
EUVD ID Assigned
Apr 17, 2026 - 11:15 euvd
EUVD-2026-23409
Analysis Generated
Apr 17, 2026 - 11:15 vuln.today
CVE Published
Apr 17, 2026 - 10:45 nvd
MEDIUM 6.9

DescriptionCVE.org

GREENmod uses named pipes for communication between plugins, the web portal, and the system service, but the access control lists for these pipes are configured incorrectly. This allows an attacker to communicate with the stream and upload any XML or JSON file, which will be processed by the named pipe with the privileges of the user under whose context the service is running. This allows for Server-Side Request Forgery to any Windows system on which the agent is installed and which provides communication via SMB or WebDav.

This issue was fixed in version 2.8.33.

AnalysisAI

GREENmod before 2.8.33 allows remote code execution and server-side request forgery via incorrectly configured named pipes that accept unauthenticated XML or JSON file uploads, processing them with service-level privileges on Windows systems. An attacker on the network can abuse this to trigger SSRF attacks against SMB or WebDAV targets accessible to the service account, potentially compromising internal Windows infrastructure without authentication.

Technical ContextAI

GRENmod is a Windows-based agent that uses named pipes for inter-process communication between plugins, a web portal, and a system service. Named pipes are a Windows IPC mechanism that relies on access control lists (ACLs) to enforce security boundaries. CWE-918 (Server-Side Request Forgery) indicates the vulnerability stems from insufficient input validation and privilege context confusion - the service processes attacker-supplied XML/JSON files without proper sandboxing, allowing the service's elevated privileges to be leveraged for unauthorized network requests. The CVSS vector shows network-accessible attack surface (AV:N) with low complexity (AC:L), meaning default configurations are exploitable. The scope change (SC:L) and integrity/availability impacts (SI:L, SA:L) indicate the service can be manipulated to modify or access resources beyond its intended boundary.

RemediationAI

Vendor-released patch: GREENmod 2.8.33 or later. Immediately upgrade all affected GREENmod deployments to 2.8.33 to apply corrected named pipe ACLs. If immediate patching is not feasible, implement network segmentation to restrict access to GREENmod named pipes (typically accessible on port 445 via SMB or via local IPC) - configure Windows firewall rules to deny inbound connections to the GREENmod service from untrusted network segments. Additionally, restrict the service account's network privileges by running GREENmod under a least-privileged service account that cannot access internal SMB/WebDAV shares; this limits the scope of SSRF attacks even if the pipe is compromised. Review SMB/WebDAV access controls to deny the GREENmod service account unnecessary share permissions. Monitor named pipe activity and XML/JSON file submissions to the service for anomalies. These controls introduce operational overhead (e.g., service account privilege reduction may break plugin functionality) - conduct testing before production deployment.

Share

CVE-2026-5131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy