CVE-2026-41172
SSRF Vulnerability in Squidex Asset Upload Allows Internal Access
Publication date: 2026-04-22
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| squidex | squidex | to 7.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with asset upload permissions can make the server access internal or external URLs that it normally should not. This can lead to unauthorized access to internal services or sensitive data within private networks. Additionally, the attacker can persist the fetched data as assets, potentially leading to data leakage or further exploitation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this SSRF vulnerability in Squidex, you should upgrade to version 7.23.0 or later, which contains the fix.
Can you explain this vulnerability to me?
This vulnerability exists in Squidex, an open source headless content management system. Before version 7.23.0, a user who has permission to upload assets can exploit a Server-Side Request Forgery (SSRF) vulnerability. This allows the user to make the server fetch arbitrary URLs, including those on localhost or private networks, and then save the fetched response as an asset.