CVE-2026-5618
Received Received - Intake
Server-Side Request Forgery in kalcaddle kodbox shareMake Component

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5618
EUVD
EUVD-2026-19164
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5618 is a vulnerability in Kodbox (KodExplorer) version 1.64 affecting the shareMake/shareCheck component. It allows unauthenticated remote attackers to manipulate share configurations by forging authentication tokens due to a hard-coded symmetric key used in a weak cryptographic scheme. This flaw enables attackers to create or modify external shares, including assigning high-privilege permissions, without proper authorization.

Additionally, attacker-controlled parameters siteFrom and siteTo can be exploited to perform server-side request forgery (SSRF), potentially allowing attackers to make unauthorized requests from the server.

The root causes include the use of a publicly known hard-coded key, reliance on deprecated cryptography without proper session binding or replay protection, and lack of server-side authorization checks.

Impact Analysis

This vulnerability can have serious impacts including unauthorized creation and modification of share configurations in Kodbox, potentially granting attackers high-level access such as admin privileges.

It also enables server-side request forgery (SSRF) attacks, which can be used to access internal resources or services that are otherwise protected.

Overall, it compromises the integrity and confidentiality of the Kodbox deployment by bypassing authentication and authorization mechanisms.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing HTTP requests to the shareOut endpoints, specifically shareMake and shareCheck, for suspicious or forged _check tokens.

Since the exploit involves crafted HTTP GET requests with forged _check tokens that allow unauthorized share modifications, detection can focus on identifying such unauthorized requests.

Suggested commands include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP requests targeting the shareMake/shareCheck endpoints, and searching for requests containing the _check parameter.

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'shareMake\|shareCheck\|_check='
  • Use web server logs (e.g., Apache or Nginx access logs) to search for GET requests to /explorer/shareOut/shareMake or /explorer/shareOut/shareCheck containing the _check parameter.
  • grep '_check=' /var/log/nginx/access.log | grep 'shareMake\|shareCheck'

Additionally, implement logging and monitoring of all shareOut-related endpoint calls to detect suspicious activity as part of ongoing detection.

Mitigation Strategies

Immediate mitigation steps include enforcing proper authentication and authorization on the shareOut endpoints to restrict operations to authenticated users with appropriate permissions.

Remove the hard-coded symmetric key "kodShareOut" from the codebase and replace it with a per-deployment, high-entropy secret stored securely outside the code.

Replace the custom Mcrypt-based cryptographic scheme with modern cryptographic primitives such as AEAD (AES-GCM, ChaCha20-Poly1305) or HMAC (HMAC-SHA256) over canonicalized parameters.

Bind tokens to context, include timestamps, expirations, and nonces to prevent replay attacks.

Restrict and validate the siteFrom and siteTo parameters to prevent SSRF attacks by allowlisting domains, blocking internal IP ranges and metadata endpoints, and limiting protocols.

Implement logging and monitoring of all shareOut-related endpoint calls to detect suspicious activity.

Compliance Impact

CVE-2026-5618 allows unauthenticated remote attackers to bypass authentication and authorization mechanisms in Kodbox 1.64, enabling unauthorized creation and modification of share configurations and potential server-side request forgery (SSRF) attacks.

Such unauthorized access and manipulation can lead to breaches of confidentiality and integrity of sensitive data, which may violate common compliance standards and regulations like GDPR and HIPAA that require strict access controls, data protection, and monitoring.

The vulnerability’s impact on authentication and authorization controls, as well as the potential exposure of sensitive information through SSRF, could result in non-compliance with these regulations, especially regarding data privacy, secure access, and incident detection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5618. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart