CVE-2026-0932
Blind SSRF in M-Files Server Legacy Co-Authoring Features
Publication date: 2026-04-01
Last updated on: 2026-04-02
Assigner: M-Files Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| m-files | m-files_server | to 26.3.15818.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0932 is a blind server-side request forgery (SSRF) vulnerability found in legacy connection methods of the document co-authoring features in M-Files Server versions prior to 26.3.15818.5.
This vulnerability allows an unauthenticated attacker to cause the M-Files Server to send HTTP GET requests to arbitrary URLs.
Successful exploitation can reveal the IP address of the M-Files Server handling the request, although no other sensitive information is included in these GET requests.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can make the M-Files Server send HTTP GET requests to arbitrary URLs without authentication.
This can reveal the IP address of the M-Files Server, potentially exposing network information.
Additionally, exploitation may cause a moderate performance impact on the affected M-Files Server instance.
However, no other sensitive information is disclosed through this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-0932 vulnerability, you should upgrade your M-Files Server to version 26.3.15818.5 or later, as the vulnerability exists in versions prior to this release.
Since the vulnerability affects legacy connection methods of document co-authoring features, disabling or restricting these legacy methods may also reduce exposure until an upgrade can be performed.
Monitor your server for unusual outbound HTTP GET requests to arbitrary URLs, which may indicate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the M-Files Server sending HTTP GET requests to arbitrary URLs due to a blind server-side request forgery (SSRF) in legacy connection methods of document co-authoring features.
To detect this vulnerability on your system, you can monitor outgoing HTTP GET requests from the M-Files Server to unusual or unexpected external URLs, especially those that do not correspond to normal server operations.
Network monitoring tools or packet capture utilities like tcpdump or Wireshark can be used to observe such traffic.
Example commands to monitor HTTP GET requests from the server include:
- Using tcpdump to capture HTTP GET requests: tcpdump -i <interface> -A 'tcp port 80 and (((ip src <server_ip>) and (tcp[32:4] = 0x47455420)))'
- Using tshark (Wireshark CLI) to filter HTTP GET requests: tshark -i <interface> -Y 'http.request.method == "GET" and ip.src == <server_ip>'
Replace <interface> with your network interface name and <server_ip> with the IP address of your M-Files Server.
Additionally, reviewing server logs for unexpected outbound HTTP requests or unusual performance impacts may help identify exploitation attempts.