Skip to main content

Apache Answer EUVD-2026-35370

| CVE-2026-34031 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-09 GHSA-x4f6-mqg6-28xx
File Upload Apache
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
CVSS changed
Jun 09, 2026 - 16:22 NVD
6.5 (MEDIUM)
Analysis Generated
Jun 09, 2026 - 08:17 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

Articles & Coverage 1

News Critical SSRF in Apache Answer 2.0.0 - CVE-2026-34031 Jun 09, 2026

AnalysisAI

Insufficient validation of user-supplied avatar image URLs in Apache Answer through 2.0.0 allows authenticated users to set arbitrary external URLs as profile images, causing the platform or clients to issue outbound HTTP requests to attacker-controlled servers on page load. This exposes user IP addresses, HTTP headers, and browsing activity to third-party infrastructure whenever affected profiles are viewed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register authenticated account on Apache Answer instance
Delivery
Navigate to profile settings and set avatar URL to attacker-controlled server
Exploit
Victim users load pages rendering attacker's profile avatar
Execution
Browser or server issues outbound HTTP request to attacker URL
Impact
Attacker harvests victim IP addresses and HTTP metadata
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The custom avatar or profile image URL feature must be enabled and accessible to registered users, which is standard default functionality in Apache Answer through 2.0.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score was provided, which limits precise metric-based risk stratification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers an account on a public or internal Apache Answer instance, navigates to profile settings, and sets their avatar URL to an attacker-controlled server endpoint such as a custom HTTP listener. When other users browse threads or profiles where the attacker's avatar is displayed, their browsers issue HTTP GET requests to the attacker's server, leaking their IP addresses and User-Agent strings. …
Remediation Upgrade Apache Answer to version 2.0.1, which is the vendor-confirmed fix per the oss-security advisory (https://seclists.org/oss-sec/2026/q2/850) and the Apache Answer project site (https://answer.apache.org). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Apache Answer instances running version 2.0.0 or earlier; assess authentication scope and profile visibility settings. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-35370 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy