Description
Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains a Server-Side Request Forgery (SSRF) vulnerability when attempting to fetch the Apple notarization submission logs. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When retrieving submission logs, Quill fetches a URL provided in the API response without validating that the scheme is https or that the host does not point to a local or multicast IP address. An attacker who can tamper with the response can supply an arbitrary URL, causing the Quill client to issue HTTP or HTTPS requests to attacker-controlled or internal network destinations. This could lead to exfiltration of sensitive data such as cloud provider credentials or internal service responses. Both the Quill CLI and library are affected when used to retrieve notarization submission logs. This vulnerability is fixed in 0.7.1.
Published: 2026-03-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery leading to potential exfiltration of internal data
Action: Immediate Patch
AI Analysis

Impact

Quill, a tool for signing and notarizing macOS binaries, contains an SSRF vulnerability in versions prior to v0.7.1. When retrieving Apple notarization submission logs, Quill downloads a URL supplied in Apple's API response without validating that it uses https or that the host is a public domain. Exploitation requires an attacker to modify that API response, which is infeasible under normal HTTPS conditions but possible when TLS‑intercepting proxies, compromised certificate authorities, or other trust violations exist. An attacker who succeeds can cause Quill to issue requests to internal or attacker‑controlled servers, potentially exfiltrating sensitive data such as cloud credentials or internal service responses.

Affected Systems

The affected product is Quill from anchore. All releases before version 0.7.1 (including v0.6 and earlier) are vulnerable. Both the Quill CLI and its library API can be used to trigger the flaw.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. The EPSS score is less than 1%, suggesting a low probability of widespread exploitation, and the flaw is not listed in CISA’s KEV catalog. Exploitation requires the attacker to tamper with the Apple notarization service response, a capability that typically demands a compromised CA, TLS‑intercepting proxy, or similar network trust violation. Thus the attack vector is limited, but environments with such network controls remain at risk.

Generated by OpenCVE AI on March 17, 2026 at 15:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Quill update to version 0.7.1 or later (official CNA solution).
  • If immediate update is not possible, restrict outbound network access for Quill by implementing firewall or proxy rules that block arbitrary URL fetching.

Generated by OpenCVE AI on March 17, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7q3q-5px6-4c5p Quill vulnerable to SSRF via unvalidated URL from Apple notarization log retrieval
History

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:anchore:quill:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Anchore
Anchore quill
Vendors & Products Anchore
Anchore quill

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 contains a Server-Side Request Forgery (SSRF) vulnerability when attempting to fetch the Apple notarization submission logs. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network conditions due to HTTPS with proper TLS certificate validation; however, environments with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or other trust boundary violations are at risk. When retrieving submission logs, Quill fetches a URL provided in the API response without validating that the scheme is https or that the host does not point to a local or multicast IP address. An attacker who can tamper with the response can supply an arbitrary URL, causing the Quill client to issue HTTP or HTTPS requests to attacker-controlled or internal network destinations. This could lead to exfiltration of sensitive data such as cloud provider credentials or internal service responses. Both the Quill CLI and library are affected when used to retrieve notarization submission logs. This vulnerability is fixed in 0.7.1.
Title SSRF in Quill via unvalidated URL from Apple notarization log retrieval
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Anchore Quill
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T19:58:59.998Z

Reserved: 2026-03-10T15:40:10.481Z

Link: CVE-2026-31959

cve-icon Vulnrichment

Updated: 2026-03-12T19:58:56.705Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T20:16:16.777

Modified: 2026-03-16T19:24:00.673

Link: CVE-2026-31959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:16Z

Weaknesses