CVE-2026-3966
Received Received - Intake
Server-Side Request Forgery in wvp-GB28181 IP Handler

Publication date: 2026-03-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in 648540858 wvp-GB28181-pro up to 2.7.4-20260107. Affected by this vulnerability is the function getDownloadFilePath of the file /src/main/java/com/genersoft/iot/vmp/media/abl/ABLMediaNodeServerService.java of the component IP Address Handler. The manipulation of the argument MediaServer.streamIp results in server-side request forgery. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3966
EUVD
EUVD-2026-11491
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
648540858 wvp_gb28181_pro to 2.7.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3966 is a stored Server-Side Request Forgery (SSRF) vulnerability in the wvp-GB28181-pro software (version up to 2.7.4). It occurs because the application does not validate the MediaServer.streamIp parameter when it is saved via an administrative API. This malicious IP address is stored in the database and later used to construct a URL for downloading cloud recordings without any validation. When a user triggers the download, the server makes an HTTP request to the attacker-controlled IP address, enabling SSRF attacks.

The vulnerability allows an attacker with administrative access to inject arbitrary IP addresses into the MediaServer configuration. Then, any user (even unauthenticated) can trigger the download functionality that causes the server to make requests to these attacker-controlled IPs. This can be exploited to access internal network services, cloud metadata endpoints, or other sensitive internal resources.

The root cause is lack of input validation on the streamIp parameter, unsafe URL construction, and unvalidated HTTP requests made by the OkHttp client. The vendor was notified but did not respond or provide mitigation.

Impact Analysis

This vulnerability can have several impacts on affected systems:

  • Confidentiality Impact: High risk as attackers can access internal network services, cloud metadata endpoints (e.g., AWS 169.254.169.254), retrieve IAM credentials, and sensitive configuration files.
  • Integrity Impact: Low but possible, as attackers might trigger internal system actions or cloud instance configuration changes via metadata APIs.
  • Availability Impact: Low, with potential denial of service by flooding internal services or causing resource exhaustion.

Real-world exploitation scenarios include cloud metadata access for credential theft, internal network scanning to identify live hosts and services, and enumeration or exploitation of internal services trusted by the vulnerable server.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the MediaServer.streamIp parameter has been manipulated to contain malicious or internal IP addresses, especially those related to cloud metadata services like AWS 169.254.169.254.'}, {'type': 'paragraph', 'content': 'Detection involves verifying if the vulnerable endpoints are being accessed or if suspicious IP addresses have been injected via the administrative API.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Use curl to check if malicious IP injection has occurred via the admin API endpoint: \n```bash\ncurl -X POST "http://[TARGET_HOST]/api/media_server/save" \\\n-H "Content-Type: application/json" \\\n-H "access-token: [ADMIN_JWT_TOKEN]" \\\n-d \'{"id":"malicious-server-01","streamIp":"169.254.169.254","mp4Port":80,"type":"ZLM","status":true}\'\n```'}, {'type': 'list_item', 'content': 'Check for unauthenticated triggering of downloads that cause SSRF by monitoring requests to the download endpoint: \n```bash\ncurl "http://[TARGET_HOST]/api/cloud/record/download/zip?ids=[CLOUD_RECORD_ID]" -o output.zip\n```'}, {'type': 'list_item', 'content': 'Monitor network traffic or logs for HTTP requests originating from the server to internal IP addresses or cloud metadata IPs, which may indicate SSRF exploitation.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict administrative access to the API endpoint `/api/media_server/save` to trusted users only, preventing injection of malicious IP addresses.
  • Implement input validation and sanitization on the `MediaServer.streamIp` parameter to prevent storing untrusted or internal IP addresses.
  • Enforce authentication and authorization on the cloud record download endpoint `/api/cloud/record/download/zip` to prevent unauthenticated triggering of SSRF.
  • Monitor and audit logs for suspicious activity related to these endpoints.
  • If possible, consider replacing the affected product or applying patches once available, as no known patches or vendor responses currently exist.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3966. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart