Skip to main content

FlowIntel CVE-2026-9813

| EUVDEUVD-2026-32862 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-28 5a6e4751-2f3f-4070-9419-94fb35b644e8 GHSA-58wp-jwch-fgj5
6.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:L/U:Green

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:L/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
N

Lifecycle Timeline

3
Patch available
May 28, 2026 - 12:31 EUVD
Source Code Evidence Fetched
May 28, 2026 - 10:32 vuln.today
Analysis Generated
May 28, 2026 - 10:32 vuln.today

DescriptionCVE.org

FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server's network context.

AnalysisAI

Server-side request forgery in FlowIntel up to version 3.3.0 allows a low-privileged authenticated user to coerce the application server into issuing HTTP HEAD requests to attacker-specified destinations-including loopback addresses, RFC 1918 private ranges, link-local cloud metadata endpoints, and other restricted network resources-via the external reference URL probe feature in app/case/task.py. The root cause is absent URL scheme filtering and missing resolved-IP validation before the outbound request is dispatched. No public exploit has been identified at time of analysis and the CVE is not listed in CISA KEV, though the upstream fix commit confirms the flaw's existence and scope.

Technical ContextAI

FlowIntel is a case management and threat intelligence platform. The vulnerable code resides in the external reference URL probe handler within app/case/task.py, which accepted an attacker-supplied URL and issued an HTTP HEAD request without validating the URL scheme or checking whether the hostname resolved to a restricted IP range. CWE-918 (Server-Side Request Forgery) identifies the root cause class: user-controlled input is used to construct and dispatch a server-side network request without adequate origin validation. The fix commit (68b523b47854c54bf36fd706c0fd5353063b5409) reveals exactly what was missing pre-patch: imports for ipaddress, socket, and urllib.parse were absent, meaning no scheme allowlisting, no DNS resolution step, and no IP-range checks (private, loopback, link-local, multicast, reserved, unspecified) were in place. This class of flaw is especially impactful in cloud-hosted deployments where metadata services such as the AWS Instance Metadata Service (IMDS) at 169.254.169.254 are reachable from the application server's network context. No CPE string was provided in the source data.

RemediationAI

Apply the upstream fix from commit 68b523b47854c54bf36fd706c0fd5353063b5409 (https://github.com/flowintel/flowintel/commit/68b523b47854c54bf36fd706c0fd5353063b5409), which introduces scheme allowlisting (http and https only), hostname presence validation, DNS resolution via socket.getaddrinfo, and IP range blocking covering private, loopback, link-local, multicast, reserved, and unspecified addresses. A formally versioned release beyond 3.3.0 has not been confirmed from available data - monitor the FlowIntel GitHub releases page for a tagged version incorporating this commit before deploying to production. As a compensating control pending patch deployment, restrict the application server's egress via host-based or network firewall rules to block outbound connections to 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16; this prevents the most impactful SSRF targets (cloud metadata, internal APIs) without disabling the feature, though it does not eliminate SSRF to arbitrary internet hosts. In AWS environments, enforcing IMDSv2 (token-required mode) on the instance adds an additional layer that prevents credential theft via metadata SSRF even if network controls are bypassed. Restricting the external reference URL submission feature to trusted user roles reduces the attack surface consistent with the PR:L exploitation prerequisite.

Share

CVE-2026-9813 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy