Skip to main content

Onlinejudge CVE-2026-5538

| EUVDEUVD-2026-19024 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-05 VulDB GHSA-fpw6-p57h-mv5q
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 05, 2026 - 04:00 euvd
EUVD-2026-19024
Analysis Generated
Apr 05, 2026 - 04:00 vuln.today
CVE Published
Apr 05, 2026 - 03:15 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was detected in QingdaoU OnlineJudge up to 1.6.1. Affected by this issue is the function service_url of the file JudgeServer.service_url of the component judge_server_heartbeat Endpoint. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery (SSRF) in QingdaoU OnlineJudge up to version 1.6.1 allows authenticated remote attackers to perform arbitrary HTTP requests via the judge_server_heartbeat endpoint's service_url parameter, enabling potential exfiltration of internal data, interaction with internal services, or lateral movement within the target network. The vendor has not responded to disclosure attempts, and no official patch has been released.

Technical ContextAI

The vulnerability resides in the JudgeServer.service_url component of the judge_server_heartbeat endpoint, which processes a service_url parameter without proper input validation or URL scheme restriction. This is a classic CWE-918 (Server-Side Request Forgery) vulnerability where user-supplied URLs are fetched server-side without sanitization. An authenticated user can manipulate the service_url parameter to point to internal IP addresses (127.0.0.1, 192.168.x.x), private cloud metadata endpoints (169.254.169.254), or other sensitive internal services, causing the OnlineJudge server to make requests on their behalf. The CPE cpe:2.3:a:qingdaou:onlinejudge:*:*:*:*:*:*:*:* indicates all versions up to and including 1.6.1 are affected.

RemediationAI

No vendor-released patch has been identified at time of analysis, and the vendor has not responded to early disclosure contact. Organizations operating QingdaoU OnlineJudge should: (1) restrict access to the judge_server_heartbeat endpoint to trusted internal networks only via network segmentation or WAF rules; (2) implement egress filtering on the OnlineJudge server to block outbound connections to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints (169.254.169.254); (3) apply URL scheme whitelisting (if any code review is feasible) to reject non-http/https protocols; (4) monitor authentication logs and requests to the heartbeat endpoint for suspicious service_url parameter values pointing to internal addresses; and (5) evaluate alternative online judge platforms with active security maintenance if prolonged unavailability of a patch becomes untenable. Monitor https://vuldb.com/vuln/355291 for future vendor updates.

Share

CVE-2026-5538 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy