Description
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply an arbitrary URL for downloading backup archives. This URL is fetched using the "Backup" `HttpClient` without any SSRF protection. A malicious or compromised admin can use this endpoint to probe internal network services, access cloud metadata endpoints, or perform internal reconnaissance. The vulnerability is authenticated (Admin-only) but highly impactful, allowing potential access to sensitive internal resources. Version 7.23.0 contains a fix.
Published: 2026-04-22
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery via an administrative backup restoration endpoint
Action: Patch ASAP
AI Analysis

Impact

The identified flaw stems from an admin‑only endpoint that accepts an arbitrary URL to download backup archives. The request is executed through an unprotected HTTP client, allowing an attacker who has, or has compromised, administrator credentials, to direct the server to fetch content from any internal or external address. This enables probing internal services, accessing cloud metadata endpoints, or otherwise performing reconnaissance against the protected environment. The issue is categorized as a server‑side request forgery (CWE‑918) and carries a CVSS score of 7.2, indicating a medium‑to‑high risk of compromise.

Affected Systems

The vulnerability exists in Squidex installations running versions older than 7.23.0. Version 7.23.0 and later include a fix. All Squidex deployments that expose the RestoreController.PostRestoreJob endpoint to administrative users are potentially impacted; the root component is the Squidex Squidex content management platform.

Risk and Exploitability

Because this flaw requires authenticated admin access, the threat level is mitigated by the need for privileged credentials, yet the impact is high if such credentials are compromised. The CVSS score reflects the severity, and the EPSS score of less than 1% indicates a very low but non‑zero exploitation probability; the vulnerability is not listed in the CISA KEV catalog. The recommended attack path involves an authenticated administrator using the backup restore endpoint to supply a malicious URL, resulting in the server attempting a request to a target internal resource. Failure to mitigate may enable sensitive internal disclosure or further lateral movement within the network.

Generated by OpenCVE AI on April 28, 2026 at 07:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Squidex to version 7.23.0 or later, which includes the SSRF fix.
  • Restrict the RestoreController.PostRestoreJob endpoint to accept only whitelisted URLs or enforce a same‑origin policy, preventing arbitrary downloads.
  • Configure network segmentation or firewall rules to block the Squidex instance from accessing internal IP ranges or critical metadata services.
  • Ensure all administrator accounts employ multi‑factor authentication and promptly remove any unnecessary privileged accounts to reduce the risk of credential compromise.

Generated by OpenCVE AI on April 28, 2026 at 07:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Squidex.io
Squidex.io squidex
Vendors & Products Squidex.io
Squidex.io squidex

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply an arbitrary URL for downloading backup archives. This URL is fetched using the "Backup" `HttpClient` without any SSRF protection. A malicious or compromised admin can use this endpoint to probe internal network services, access cloud metadata endpoints, or perform internal reconnaissance. The vulnerability is authenticated (Admin-only) but highly impactful, allowing potential access to sensitive internal resources. Version 7.23.0 contains a fix.
Title Squidex has SSRF via Backup Restore Endpoint — Admin-Controlled URL Download Allows Internal and External Requests
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Squidex.io Squidex
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T14:24:06.260Z

Reserved: 2026-04-17T16:34:45.525Z

Link: CVE-2026-41170

cve-icon Vulnrichment

Updated: 2026-04-23T14:22:42.488Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T22:16:31.377

Modified: 2026-04-24T14:45:24.803

Link: CVE-2026-41170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:00:14Z

Weaknesses