Description
A vulnerability was detected in activepieces up to 0.83.0. This vulnerability affects the function handleUrlFile in the library packages/server/engine/src/lib/variables/processors/file.ts of the component File URL Handler. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a server‑side request forgery (SSRF) triggered by the handleUrlFile function in the File URL Handler component of activepieces. An attacker can supply any URL, causing the server to perform requests to that address. This can lead to unauthorized data exfiltration, internal network reconnaissance, or further exploitation of resources behind the activepieces host. The flaw is a classic input‑validation weakness (CWE‑918) and can be executed remotely without authentication.

Affected Systems

The flaw exists in activepieces versions up to and including 0.83.0. It affects the component located at packages/server/engine/src/lib/variables/processors/file.ts, which is part of the activepieces open‑source application. No other vendors or product lines are impacted.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Public exploits are known, and the attack vector is remote; an attacker can trigger the SSRF by sending a crafted request to the affected endpoint. Because the flaw resides in internal processing and does not involve authentication bypass, an unauthenticated attacker can immediately exploit it, but successful exploitation may also require additional privileges or forward‑looking reconnaissance.

Generated by OpenCVE AI on June 22, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade activepieces to the latest available release that includes the SSRF fix as soon as it is released.
  • If an upgrade is not feasible in the short term, disable or restrict the File URL handler endpoint so it cannot accept arbitrary URLs from external input.
  • Configure network‑level filtering or a web application firewall to block outbound requests from the activepieces server to internal IP ranges, private networks, or disallowed domains, thereby limiting the potential impact of the SSRF.

Generated by OpenCVE AI on June 22, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in activepieces up to 0.83.0. This vulnerability affects the function handleUrlFile in the library packages/server/engine/src/lib/variables/processors/file.ts of the component File URL Handler. The manipulation results in server-side request forgery. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title activepieces File URL file.ts handleUrlFile server-side request forgery
First Time appeared Activepieces
Activepieces activepieces
Weaknesses CWE-918
CPEs cpe:2.3:a:activepieces:activepieces:*:*:*:*:*:*:*:*
Vendors & Products Activepieces
Activepieces activepieces
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Activepieces Activepieces
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-21T22:30:09.414Z

Reserved: 2026-06-21T06:17:14.598Z

Link: CVE-2026-12813

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T00:30:16Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)