CVE-2026-0932 | THREATINT

Description

Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.

PUBLISHED Reserved 2026-01-14 | Published 2026-04-01 | Updated 2026-04-01 | Assigner M-Files Corporation

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-918 Server-Side request forgery (SSRF)

Product status

Default status

unaffected

Any version before 26.3.15818.5

affected

Credits

Sina Kheirkhah (SinSinology) of watchTowr (watchTowrcyber) finder

References

empower.m-files.com/security-advisories/CVE-2026-0932 vendor-advisory

product.m-files.com/security-advisories/cve-2026-0932/ vendor-advisory

cve.org (CVE-2026-0932)

nvd.nist.gov (CVE-2026-0932)

Download JSON