CVE-2026-5936
Received Received - Intake
Server-Side Request Forgery in HTTP Service Enables Internal Network Access

Publication date: 2026-04-13

Last updated on: 2026-04-13

Assigner: Foxit

Description
An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints (e.g., cloud metadata services), or bypass network access controls, potentially leading to sensitive information disclosure and further compromise of the internal environment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5936
EUVD
EUVD-2026-21887
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows an attacker to control a server-side HTTP request by providing a specially crafted URL. As a result, the server can be tricked into making requests to arbitrary destinations chosen by the attacker.

This can be exploited to probe internal network services, access endpoints that are normally unreachable such as cloud metadata services, or bypass network access controls.

Impact Analysis

The vulnerability can lead to sensitive information disclosure by allowing attackers to access internal services and data that should be protected.

It may also enable further compromise of the internal environment by bypassing network access controls and probing internal network services.

Compliance Impact

This vulnerability allows an attacker to cause a server to make HTTP requests to arbitrary destinations, potentially leading to sensitive information disclosure and further compromise of internal systems.

Such unauthorized disclosure or access to sensitive data could impact compliance with regulations like GDPR and HIPAA, which require protection of personal and sensitive information.

By enabling attackers to bypass network access controls and access internal endpoints, this vulnerability increases the risk of data breaches that may violate these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5936. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart