PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9813 flowintel CVE debrief

FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality located in app/case/task.py. An attacker with the ability to submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. The vulnerability stems from insufficient validation of both the URL scheme and the resolved destination address, allowing affected versions to make requests to loopback addresses, link-local addresses, private IP ranges, reserved addresses, and other restricted network resources. This may enable interaction with internal services or cloud metadata endpoints from the server's network context.

Vendor
flowintel
Product
Unknown
CVSS
MEDIUM 6.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-29
Advisory published
2026-05-28
Advisory updated
2026-05-29

Who should care

Organizations running FlowIntel versions up to 3.3.0, particularly those deployed in cloud environments where metadata service access could lead to credential exposure or instance compromise. Security teams should prioritize patching if the application handles untrusted user input for external references. Development teams using similar URL fetching patterns should review their implementations for comparable validation gaps.

Technical summary

The vulnerability exists in app/case/task.py where the external reference URL probe functionality processes user-submitted URLs without adequate validation. The application performs HTTP HEAD requests to user-provided destinations, but fails to properly validate the URL scheme and resolved IP address. This allows attackers to specify URLs that resolve to restricted destinations including loopback interfaces, link-local addresses, private network ranges, and cloud metadata endpoints. Successful exploitation could enable attackers to probe or interact with internal services, access cloud instance metadata services, or perform port scanning of internal networks from the application's network context. The vulnerability requires low privileges and user interaction, with high impacts to system integrity and availability.

Defensive priority

medium

Recommended defensive actions

  • Review and apply the referenced commit to address the SSRF vulnerability in the external reference URL probe functionality
  • Implement strict URL validation that blocks requests to loopback (127.0.0.0/8, ::1), link-local (169.254.0.0/16, fe80::/10), private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7), and cloud metadata endpoints (e.
  • g., 169.254.169.254)
  • Validate and restrict allowed URL schemes to only those required (e.g., http, https) and explicitly deny dangerous schemes
  • Implement DNS resolution validation to prevent DNS rebinding attacks that could bypass IP-based filters
  • Consider using an isolated network segment or proxy for outbound requests from the URL probe functionality
  • Audit existing external reference URLs in the application for signs of exploitation attempts
  • Review application logs for unexpected outbound requests to internal addresses or cloud metadata services

Evidence notes

The vulnerability description indicates the issue exists in app/case/task.py within the external reference URL probe functionality. A commit reference is available that appears to address this vulnerability. The CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and user interaction required, with impacts to system confidentiality (low), system integrity (high), and system availability (high). The weakness is classified as CWE-918 (Server-Side Request Forgery).

Official resources

2026-05-28