PatchSiren cyber security CVE debrief
CVE-2026-9464 YunaiV CVE debrief
A Server-Side Request Forgery (SSRF) vulnerability exists in the YunaiV yudao-cloud platform, specifically within the IotDataSinkHttpConfig function accessible via the /admin-api/iot/data-sink/create Admin API endpoint. The vulnerability was published on 2026-05-25 and last modified on 2026-05-26. The issue allows remote attackers to manipulate the affected function to perform unauthorized server-side requests. The exploit has been publicly disclosed and is available for use. The vendor was contacted regarding this disclosure but did not respond. The vulnerability is classified as LOW severity with a CVSS score of 2.0, indicating limited impact under CVSS 4.0 scoring which reflects high privileges required for exploitation. The weakness is categorized as CWE-918 (Server-Side Request Forgery).
- Vendor
- YunaiV
- Product
- yudao-cloud
- CVSS
- LOW 2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running YunaiV yudao-cloud 2026.03 with exposed Admin API endpoints; security teams monitoring for SSRF vulnerabilities in IoT data pipeline configurations; administrators responsible for API gateway security and outbound request controls
Technical summary
The vulnerability resides in the IotDataSinkHttpConfig function of the yudao-cloud Admin API. An attacker with high privileges can manipulate HTTP sink configuration parameters to induce the server to make requests to arbitrary destinations. The attack vector is network-based with low attack complexity, requiring no user interaction but high privileges. The vulnerability has public exploit availability, increasing practical risk despite the low CVSS base score.
Defensive priority
low
Recommended defensive actions
- Review and restrict network access to the /admin-api/iot/data-sink/create endpoint
- Implement input validation and URL allowlisting for the IotDataSinkHttpConfig function
- Apply principle of least privilege to Admin API access
- Monitor for unauthorized outbound requests from application servers
- Contact YunaiV vendor for patch availability and security updates
- Consider implementing SSRF protection mechanisms such as URL parsing validation and DNS rebinding protections
Evidence notes
Vulnerability details sourced from NVD with Vuldb as the assigning CNA. The CVE record indicates Deferred status. Multiple source references are available including a GitHub repository containing disclosure details and Vuldb vulnerability entries.
Official resources
public