Executive Summary

CVE-2026-0932 is a blind server-side request forgery (SSRF) vulnerability found in legacy connection methods of the document co-authoring features in M-Files Server versions prior to 26.3.15818.5.

This vulnerability allows an unauthenticated attacker to cause the M-Files Server to send HTTP GET requests to arbitrary URLs.

Successful exploitation can reveal the IP address of the M-Files Server handling the request, although no other sensitive information is included in these GET requests.

Useful 0 Not Useful 0

Impact Analysis

An attacker exploiting this vulnerability can make the M-Files Server send HTTP GET requests to arbitrary URLs without authentication.

This can reveal the IP address of the M-Files Server, potentially exposing network information.

Additionally, exploitation may cause a moderate performance impact on the affected M-Files Server instance.

However, no other sensitive information is disclosed through this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-0932 vulnerability, you should upgrade your M-Files Server to version 26.3.15818.5 or later, as the vulnerability exists in versions prior to this release.

Since the vulnerability affects legacy connection methods of document co-authoring features, disabling or restricting these legacy methods may also reduce exposure until an upgrade can be performed.

Monitor your server for unusual outbound HTTP GET requests to arbitrary URLs, which may indicate exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the M-Files Server sending HTTP GET requests to arbitrary URLs due to a blind server-side request forgery (SSRF) in legacy connection methods of document co-authoring features.

To detect this vulnerability on your system, you can monitor outgoing HTTP GET requests from the M-Files Server to unusual or unexpected external URLs, especially those that do not correspond to normal server operations.

Network monitoring tools or packet capture utilities like tcpdump or Wireshark can be used to observe such traffic.

Example commands to monitor HTTP GET requests from the server include:

• Using tcpdump to capture HTTP GET requests: tcpdump -i <interface> -A 'tcp port 80 and (((ip src <server_ip>) and (tcp[32:4] = 0x47455420)))'
• Using tshark (Wireshark CLI) to filter HTTP GET requests: tshark -i <interface> -Y 'http.request.method == "GET" and ip.src == <server_ip>'

Replace <interface> with your network interface name and <server_ip> with the IP address of your M-Files Server.

Additionally, reviewing server logs for unexpected outbound HTTP requests or unusual performance impacts may help identify exploitation attempts.

Useful 0 Not Useful 0