Skip to main content

Cloudreve EUVDEUVD-2026-44687

| CVE-2026-54562 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-15 GitHub_M
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

PR:L reflects the required authenticated session with remote download permission; C:H captures full internal response exfiltration; I:N and A:N because no write or denial-of-service impact is present.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:34 vuln.today
Analysis Generated
Jul 15, 2026 - 15:34 vuln.today

DescriptionCVE.org

Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, Cloudreve's remote download workflow accepts user-supplied URLs at POST /api/v4/workflow/download and passes them to the configured downloader without blocking loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, allowing a non-admin user with remote download permission to fetch internal-only URLs and read the response after it is imported into the user's own files. This issue is fixed in version 4.16.1.

AnalysisAI

Server-Side Request Forgery in Cloudreve's remote download workflow (versions prior to 4.16.1) enables authenticated users holding the remote download permission to direct the application server to fetch arbitrary internal URLs via POST /api/v4/workflow/download. Because the downloader accepted user-supplied URLs without validating loopback, localhost, IPv6 localhost, or redirect-to-loopback targets, a low-privileged user could exfiltrate responses from internal services - including cloud instance metadata endpoints, internal APIs, or services bound to 127.0.0.1 - by reading the downloaded content from their own Cloudreve file storage. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Cloudreve account with remote download permission
Delivery
Submit crafted internal URL to POST /api/v4/workflow/download
Exploit
Cloudreve server fetches internal resource without SSRF validation
Execution
Response body stored as file in attacker's Cloudreve storage
Impact
Attacker downloads or previews file to read internal service response

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid Cloudreve user account with the remote download feature permission explicitly granted - this is a non-admin permission that operators assign to users, confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N accurately reflects the threat profile: network-reachable, low complexity, but constrained by a required authenticated session with remote download permission (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid Cloudreve account and remote download permission submits a POST request to /api/v4/workflow/download with the URL set to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS instance metadata) or http://127.0.0.1:6379 (local Redis). The Cloudreve server fetches the target URL server-side and stores the response as a file in the attacker's Cloudreve storage, where they then download or preview it to read the internal service response. …
Remediation Upgrade to Cloudreve 4.16.1 or later, available at https://github.com/cloudreve/cloudreve/releases/tag/4.16.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44687 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy