CVE-2026-31959
Received Received - Intake
SSRF Vulnerability in Quill Allows Internal Network Requests

Publication date: 2026-03-11

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains a Server-Side Request Forgery (SSRF) vulnerability when attempting to fetch the Apple notarization submission logs. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When retrieving submission logs, Quill fetches a URL provided in the API response without validating that the scheme is https or that the host does not point to a local or multicast IP address. An attacker who can tamper with the response can supply an arbitrary URL, causing the Quill client to issue HTTP or HTTPS requests to attacker-controlled or internal network destinations. This could lead to exfiltration of sensitive data such as cloud provider credentials or internal service responses. Both the Quill CLI and library are affected when used to retrieve notarization submission logs. This vulnerability is fixed in 0.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-16
Generated
2026-05-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31959
EUVD
EUVD-2026-11325
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anchore quill to 0.7.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-31959 is a Server-Side Request Forgery (SSRF) vulnerability in Quill versions before v0.7.1 that occurs when fetching Apple notarization submission logs.'}, {'type': 'paragraph', 'content': "The vulnerability exists because Quill retrieves a URL from Apple's notarization API response without validating that the URL uses the HTTPS scheme or that the host is not a local or multicast IP address."}, {'type': 'paragraph', 'content': 'An attacker who can tamper with the API responseβ€”possible in environments with TLS-intercepting proxies, compromised certificate authorities, or other trust boundary violationsβ€”can supply arbitrary URLs.'}, {'type': 'paragraph', 'content': 'This causes Quill to issue HTTP or HTTPS requests to attacker-controlled or internal network destinations, potentially leading to exfiltration of sensitive data.'}, {'type': 'paragraph', 'content': 'Both the Quill CLI and library are affected, and the issue was fixed in version v0.7.1.'}] [1]


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': 'If exploited, this vulnerability can cause Quill to send requests to attacker-controlled or internal network destinations.'}, {'type': 'paragraph', 'content': 'This can lead to the exfiltration of sensitive data such as cloud provider credentials or internal service responses.'}, {'type': 'paragraph', 'content': "Exploitation requires the ability to tamper with Apple's notarization API responses, which is generally difficult under normal network conditions but possible in environments with TLS-intercepting proxies or compromised certificate authorities."}] [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for unusual HTTP or HTTPS requests issued by the Quill client to unexpected or internal network destinations, especially when fetching Apple notarization submission logs.'}, {'type': 'paragraph', 'content': "Since exploitation requires tampering with Apple's notarization API responses, environments with TLS-intercepting proxies or compromised certificate authorities are at higher risk."}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or commands to detect suspicious outbound requests from Quill to local or multicast IP addresses or attacker-controlled domains.'}, {'type': 'list_item', 'content': 'Use tcpdump or Wireshark to capture and analyze outgoing traffic from the system running Quill, filtering for HTTP/HTTPS requests to unusual IP addresses or domains.'}, {'type': 'list_item', 'content': 'Example tcpdump command: sudo tcpdump -i any -n host not apple.com and port 80 or port 443'}, {'type': 'list_item', 'content': 'Check Quill logs for any unexpected URLs being fetched when retrieving notarization submission logs.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade Quill to version v0.7.1 or later, where this SSRF vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "Additionally, ensure that your environment does not allow tampering with Apple's notarization API responses by avoiding TLS-intercepting proxies or compromised certificate authorities."}, {'type': 'paragraph', 'content': 'Review and restrict network access to prevent Quill from making HTTP/HTTPS requests to internal or untrusted destinations.'}] [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart