Skip to main content

yudao-cloud EUVD-2026-31684

| CVE-2026-9464 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-25 VulDB GHSA-mrqr-qxqw-9753
SSRF Yudao Cloud
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 13:16 vuln.today
Severity Changed
May 26, 2026 - 20:07 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 20:07 NVD
4.7 (MEDIUM) 2.0 (LOW)

DescriptionCVE.org

A vulnerability has been found in YunaiV yudao-cloud 2026.03. This affects the function IotDataSinkHttpConfig of the file /admin-api/iot/data-sink/create of the component Admin API Endpoint. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery in YunaiV yudao-cloud 2026.03 allows authenticated administrators to force the server to issue arbitrary HTTP requests via the IoT data sink creation endpoint. The vulnerability exists in the IotDataSinkHttpConfig function exposed at /admin-api/iot/data-sink/create, where attacker-controlled URL parameters are passed to an outbound HTTP client without adequate validation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin credentials via phishing or reuse
Delivery
Authenticate to yudao-cloud Admin API
Exploit
Submit crafted HTTP data sink config to /admin-api/iot/data-sink/create
Execution
Server issues SSRF request to attacker-specified internal URL
Impact
Retrieve internal service response or metadata
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid high-privilege administrator session on the yudao-cloud Admin API (CVSS PR:H confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The real-world risk is low-to-moderate despite public POC availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained high-privilege administrator credentials - through phishing, credential reuse, or an insider threat - authenticates to the yudao-cloud Admin API and submits a crafted POST request to /admin-api/iot/data-sink/create with a malicious URL (e.g., http://169.254.169.254/latest/meta-data/ or http://internal-service:8080/admin) as the HTTP sink target. The server processes the IotDataSinkHttpConfig and issues an outbound HTTP request to the attacker-controlled destination, potentially returning internal service responses or cloud metadata to the attacker. …
Remediation No vendor-released patch has been identified at time of analysis - the vendor was contacted prior to disclosure and did not respond, leaving the vulnerability unpatched. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-31684 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy