CVE-2026-16223
Received Received - Intake

Server-Side Request Forgery in 1Panel-dev CordysCRM

Vulnerability report for CVE-2026-16223, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A vulnerability was determined in 1Panel-dev CordysCRM up to 1.4.1. Impacted is the function getSqlBotSrc of the file backend/crm/src/main/java/cn/cordys/crm/system/service/IntegrationConfigService.java of the component Third Party Edit Endpoint. Executing a manipulation of the argument appSecret can lead to server-side request forgery. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
1panel-dev cordyscrm to 1.4.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a Server-Side Request Forgery (SSRF) vulnerability in CordysCRM version 1.4.1 or earlier. The issue occurs in the getSqlBotSrc function of IntegrationConfigService.java. The application extracts URLs from the appSecret parameter using a regex pattern without proper validation. These URLs are then used to create HTTP connections via URI.create(jsUrl).toURL().openConnection() without restrictions on protocols or internal IP addresses. Attackers can inject malicious URLs into appSecret to force the server to make requests to arbitrary external or internal addresses.

Detection Guidance

To detect this SSRF vulnerability in CordysCRM 1.4.1, monitor network traffic for unexpected outbound connections from the server, especially to internal IP ranges or unusual domains. Check logs for requests to the `/organization/settings/third-party/edit` or `/organization/settings/third-party/test` endpoints with suspicious `appSecret` parameters containing URLs. Use tools like Wireshark or tcpdump to capture outgoing traffic from the server.

Impact Analysis

Exploitation could allow attackers to perform internal network reconnaissance by forcing the server to access internal resources. It may also lead to data leakage if sensitive information is exposed through crafted requests. Further attacks could be launched from the server, potentially compromising other systems in the network. The vulnerability requires low privileges to exploit, making it accessible to attackers with basic access.

Compliance Impact

This SSRF vulnerability could lead to unauthorized data access or exfiltration, violating GDPR's data protection requirements and HIPAA's safeguards for protected health information. Organizations may face compliance violations if sensitive data is exposed through server-side requests. The lack of proper input validation and security controls also indicates inadequate security measures, which could result in regulatory penalties.

Mitigation Strategies

Immediately upgrade CordysCRM to a patched version if available. If not, restrict access to the vulnerable endpoints via firewall rules. Implement strict input validation for the `appSecret` parameter, blocking internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x) and allowing only trusted domains. Disable the `/organization/settings/third-party/test` endpoint if unused. Monitor server logs for SSRF attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart