CVE-2026-41177
Received Received - Intake
Blind SSRF in Squidex Restore API Enables Local File Access

Publication date: 2026-04-22

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI scheme of the user-supplied `Url` parameter, allowing the use of the `file://` protocol. This allows an authenticated administrator to force the backend server to interact with the local filesystem, which can lead to Local File Interaction (LFI) and potential disclosure of sensitive system information through side-channel analysis of internal logs. Version 7.23.0 contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41177
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
squidex squidex to 7.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade Squidex to version 7.23.0 or later, as this version contains a fix that properly validates the URI scheme of the user-supplied Url parameter, preventing the use of the file:// protocol.

Additionally, restrict administrative access to trusted users only, since exploitation requires authenticated administrator privileges.

Executive Summary

This vulnerability affects the Squidex Restore API prior to version 7.23.0. It is a Blind Server-Side Request Forgery (SSRF) issue where the application does not properly validate the URI scheme of the user-supplied `Url` parameter. Specifically, it allows the use of the `file://` protocol, which means an authenticated administrator can make the backend server interact with its local filesystem.

This interaction can lead to Local File Interaction (LFI), potentially exposing sensitive system information through side-channel analysis of internal logs.

Impact Analysis

The vulnerability allows an authenticated administrator to exploit the Restore API to access local files on the backend server. This can lead to the disclosure of sensitive system information, which might be used to further compromise the system or gain unauthorized insights into its configuration.

While the impact on integrity and availability is limited, the confidentiality of sensitive data is at high risk due to this vulnerability.

Compliance Impact

The vulnerability allows an authenticated administrator to exploit Blind Server-Side Request Forgery (SSRF) to interact with the local filesystem, potentially leading to disclosure of sensitive system information.

Such unauthorized disclosure of sensitive information could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access or disclosure.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41177. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart