Can you explain this vulnerability to me?

CVE-2026-5538 is a stored Server-Side Request Forgery (SSRF) vulnerability in the QingdaoU OnlineJudge system, affecting versions up to 1.6.1. It exists in the judge_server_heartbeat API endpoint, specifically in the service_url parameter of the JudgeServer component.

An attacker with a valid judge server token can submit a malicious URL via the service_url parameter. This URL is stored in the database without proper validation or sanitization.

Later, when the system processes judge tasks, it uses the stored URL to make internal HTTP requests without re-validating it, allowing the attacker to force the server to make arbitrary requests to internal network resources.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an attacker to make the server perform arbitrary HTTP requests to internal network resources, which can lead to several security risks.

• Exfiltration of sensitive metadata, such as cloud service metadata endpoints.
• Internal network scanning to discover other vulnerable services or systems.
• Potential remote code execution if the attacker can leverage the SSRF to interact with internal services that execute commands.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring and analyzing requests to the /api/admin/judge_server_heartbeat endpoint, especially POST requests containing the service_url parameter.

Since the vulnerability requires authentication with a valid judge server token, detection involves checking for unusual or unauthorized POST requests to this endpoint.

You can also inspect the JudgeServer table in the MySQL database for suspicious or unexpected URLs stored in the service_url field.

• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture POST requests to /api/admin/judge_server_heartbeat.
• Run a SQL query to check stored URLs: SELECT service_url FROM JudgeServer WHERE service_url IS NOT NULL;
• Check application logs for POST requests to /api/admin/judge_server_heartbeat with service_url parameters.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the /api/admin/judge_server_heartbeat endpoint to trusted users only, as the vulnerability requires authentication.

Review and sanitize any stored service_url values in the JudgeServer database to remove malicious URLs.

Implement network-level controls to prevent the server from making arbitrary HTTP requests to internal or sensitive endpoints.

Monitor and audit logs for suspicious activity related to the judge server heartbeat API.

If possible, apply patches or updates from the vendor once available, or consider disabling the vulnerable functionality until a fix is released.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

CVE-2026-5538 is a stored Server-Side Request Forgery (SSRF) vulnerability that allows authenticated attackers to make arbitrary internal HTTP requests via the QingdaoU OnlineJudge system. This can lead to sensitive metadata exfiltration and internal network scanning.

Such unauthorized access and potential data exfiltration could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access or disclosure.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Useful 0 Not Useful 0