Home

Description

FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server's network context.

PUBLISHED Reserved 2026-05-28 | Published 2026-05-28 | Updated 2026-05-28 | Assigner CIRCL




MEDIUM: 6.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:H/SA:H/S:N/RE:L/U:Green

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status
unaffected

Any version before 3.3.0
affected

Credits

Bilal Teke finder

David Cruciani remediation verifier

Alexandre Dulaunoy remediation developer

Codex (GPT-5.5) tool

References

github.com/...ommit/68b523b47854c54bf36fd706c0fd5353063b5409 patch

cve.org (CVE-2026-9813)

nvd.nist.gov (CVE-2026-9813)

Download JSON