CVE-2026-8320
Received Received - Intake
Server-Side Request Forgery in jshERP

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulDB

Description
A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the component updatePlatformConfigByKey Endpoint. Such manipulation of the argument weixinUrl leads to server-side request forgery. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-19
NVD
CVE-2026-8320
EUVD
EUVD-2026-29211
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jishenghua jsherp to 3.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-8320 vulnerability allows an authenticated admin user to manipulate the WeChat integration URL, leading to server-side request forgery (SSRF). This can expose internal network resources, cloud metadata, and sensitive credentials such as WeChat API keys.

Such exposure of sensitive data and internal resources can lead to unauthorized access and data breaches, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

Specifically, the risk of credential exfiltration and internal network scanning increases the likelihood of compromising confidential data, potentially resulting in non-compliance with standards mandating strict access controls, data confidentiality, and breach notification.

Mitigation recommendations such as implementing whitelists, validating URLs, audit logging, re-authentication, network segmentation, and monitoring outbound requests are important to reduce compliance risks.

Executive Summary

CVE-2026-8320 is a Server-Side Request Forgery (SSRF) vulnerability in the jshERP application up to version 3.6. It affects the function getUserByWeixinCode via the updatePlatformConfigByKey endpoint, where an authenticated admin user can manipulate the weixinUrl parameter to an arbitrary URL.

This manipulation causes the application to make requests to attacker-controlled or internal URLs when WeChat login is triggered, potentially exposing internal network resources, cloud metadata, and WeChat API credentials.

The vulnerability arises because the application does not properly validate which configuration keys can be modified, trusts database-stored URLs without re-validation, and transmits sensitive credentials in URL query parameters.

Impact Analysis

If exploited, this vulnerability allows an attacker with admin access to perform unauthorized internal network scanning and access sensitive internal services.

It can lead to exposure and theft of cloud metadata (such as AWS instance metadata), WeChat API credentials, and other internal service information.

Attackers can also exfiltrate sensitive data by redirecting requests to attacker-controlled domains, potentially compromising the security of the entire deployment.

This risk is especially significant in cloud environments (AWS, GCP, Azure) and setups where internal services are accessible from the application server.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized modifications to the weixinUrl parameter via the /platformConfig/updatePlatformConfigByKey endpoint, especially by admin users. Detection can also involve auditing outbound HTTP requests from the application server to unexpected or internal IP addresses, such as cloud metadata endpoints (e.g., AWS 169.254.169.254) or attacker-controlled domains.

Suggested commands include inspecting web server or application logs for POST requests to /platformConfig/updatePlatformConfigByKey with changes to the weixinUrl parameter. For example, using grep on logs:

  • grep "/platformConfig/updatePlatformConfigByKey" /var/log/app_access.log | grep "weixinUrl"

Additionally, monitoring outbound HTTP requests from the server can be done with tools like tcpdump or curl to detect suspicious connections:

  • tcpdump -i eth0 host 169.254.169.254
  • netstat -anp | grep ESTABLISHED

Reviewing application database entries for unexpected or unauthorized weixinUrl values can also help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include implementing a whitelist for allowed configuration keys to prevent unauthorized modification of sensitive keys like weixinUrl.

Validate the weixinUrl parameter against a strict WeChat domain pattern to ensure only legitimate URLs are accepted.

Move sensitive URLs and credentials from the database to environment variables or secure configuration files to avoid trusting user-modifiable data.

Additional recommended measures include enabling audit logging for configuration changes, requiring re-authentication for sensitive modifications, implementing network segmentation to restrict access to internal services, and monitoring outbound HTTP requests for suspicious activity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8320. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart