Description
A Server-Side Request Forgery (SSRF) vulnerability in the custom process creation feature of linqi allows an authenticated attacker to probe internal network components. By crafting a specific process containing an HTTP Request component, an attacker can force the server to send arbitrary HTTP requests. By observing the varying application responses (Success, Failed, or 504 Gateway Time-out), the attacker can determine the status of internal ports, leading to internal network reconnaissance.
Published: 2026-06-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Server‑Side Request Forgery flaw exists in the custom process creation feature of linqi. An authenticated user can craft a process that includes an HTTP Request component, causing the server to send arbitrary HTTP requests to any target. By interpreting the server’s responses—Success, Failed, or 504 Gateway Time‑out—the attacker can deduce whether specific internal ports are open or closed, enabling detailed network reconnaissance.

Affected Systems

The vulnerability affects linqi GmbH’s linqi product. No specific version information was supplied in the advisory, so all releases may be susceptible until an official fix is released.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk. The exploit is feasible only to users with valid authentication, but the SSRF capability allows probing across the internal network, which can aid further attacks. No EPSS data is provided, and the issue is not listed in CISA KEV, suggesting it is not currently exploited at scale. Nonetheless, the ability for authenticated users to enumerate internal services represents a significant threat vector for adversaries with access to the application.

Generated by OpenCVE AI on June 5, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement the vendor’s latest patch or upgrade to a version that resolves the SSRF flaw.
  • Limit the process‑creation capability to a narrow set of privileged accounts and enforce strict input validation on URL fields.
  • Configure outbound firewall rules or network segmentation to block HTTP/HTTPS traffic from the linqi application to internal addresses.
  • Reduce error visibility by sanitizing responses so that port status information is not leaked via success, failure, or timeout messages.

Generated by OpenCVE AI on June 5, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Linqi
Linqi linqi
Vendors & Products Linqi
Linqi linqi

Fri, 05 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description A Server-Side Request Forgery (SSRF) vulnerability in the custom process creation feature of linqi allows an authenticated attacker to probe internal network components. By crafting a specific process containing an HTTP Request component, an attacker can force the server to send arbitrary HTTP requests. By observing the varying application responses (Success, Failed, or 504 Gateway Time-out), the attacker can determine the status of internal ports, leading to internal network reconnaissance.
Title Server-Side Request Forgery (SSRF) allowing Internal Network Probing in linqi
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Linqi Linqi
cve-icon MITRE

Status: PUBLISHED

Assigner: linqi

Published:

Updated: 2026-06-05T11:53:39.545Z

Reserved: 2026-06-05T08:52:34.489Z

Link: CVE-2026-11346

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T12:16:37.597

Modified: 2026-06-05T12:16:37.597

Link: CVE-2026-11346

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T13:30:35Z

Weaknesses