CVE-2026-41177 - Vulnerability Details

- Squidex has Blind SSRF via file:// Protocol in Restore API leading to Local File Interaction

Description

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI scheme of the user-supplied `Url` parameter, allowing the use of the `file://` protocol. This allows an authenticated administrator to force the backend server to interact with the local filesystem, which can lead to Local File Interaction (LFI) and potential disclosure of sensitive system information through side-channel analysis of internal logs. Version 7.23.0 contains a fix.

Published: 2026-04-22

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Squidex Restore API accepts a user‑supplied Url parameter without validating its scheme, permitting use of the file:// protocol. An authenticated administrator can force the backend server to access any local file via the Restore API, leading to local file interaction and potential disclosure of sensitive information through side‑channel analysis of internal logs. The flaw does not provide arbitrary code execution.

Affected Systems

All Squidex installations running a version earlier than 7.23.0 are vulnerable. The exploitation requires administrator privileges to the HQ API; only users with such access can invoke the Restore endpoint. Version 7.23.0 and later contain the fix.

Risk and Exploitability

The CVSS base score of 5.5 indicates moderate severity. The EPSS score of < 1% shows a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires authenticated administrator access, the risk is limited to environments where such accounts are compromised or misused. No remote, unauthenticated attacker can exploit the flaw.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Squidex

squidex

affected

Version	Status	Constraints
`< 7.23.0`	affected	—

No data.

Vendor Product Confidence Versions

Squidex.io

Squidex

91%

Version	Status	Scheme	Platform
`[0,7.23.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Squidex to version 7.23.0 or later to eliminate the blind SSRF issue.
Limit the scope of administrator API credentials and ensure only trusted users have access to the HQ API.
Monitor and audit logs for unexpected file access attempts involving the Restore API, and block suspicious patterns.

Generated by OpenCVE AI on April 28, 2026 at 07:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4
https://github.com/Squidex/squidex/security/advisories/GHSA-45fq-w37p-qfw5

History

Mon, 27 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Squidex.io Squidex.io squidex
Vendors & Products		Squidex.io Squidex.io squidex

Thu, 23 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI scheme of the user-supplied `Url` parameter, allowing the use of the `file://` protocol. This allows an authenticated administrator to force the backend server to interact with the local filesystem, which can lead to Local File Interaction (LFI) and potential disclosure of sensitive system information through side-channel analysis of internal logs. Version 7.23.0 contains a fix.
Title		Squidex has Blind SSRF via file:// Protocol in Restore API leading to Local File Interaction
Weaknesses		CWE-73 CWE-918
References		https://github.com/Squidex/squidex/commit/b81d75e1d9c1a8e30993c2ee59b350002b9aeda4 https://github.com/Squidex/squidex/security/advisories/GHSA-45fq-w37p-qfw5
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L'}`

Subscriptions

Squidex.io Squidex

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-22T21:24:10.051Z

Updated: 2026-04-23T16:24:31.604Z

Reserved: 2026-04-17T16:34:45.526Z

Link: CVE-2026-41177

Vulnrichment

Updated: 2026-04-23T13:51:03.313Z

NVD

Status : Deferred

Published: 2026-04-22T22:16:31.957

Modified: 2026-04-24T14:45:24.803

Link: CVE-2026-41177

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T08:00:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object