Description
A vulnerability was determined in trueleaf ApiFlow 0.9.7. The impacted element is the function validateUrlSecurity of the file packages/server/src/service/proxy/http_proxy.service.ts of the component URL Validation Handler. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Published: 2026-03-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the validateUrlSecurity function of trueleaf ApiFlow's proxy service. It permits an attacker to override URL validation, leading to a server‑side request forgery that can reach arbitrary internal or external targets. This can result in sensitive data exposure, service discovery, or serve as a foothold for lateral movement.

Affected Systems

trueleaf ApiFlow version 0.9.7 is affected. No other releases are listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity level. Public information confirms that exploitation is possible from remote attackers. EPSS data is unavailable, and the issue is not listed in the known exploited vulnerability catalog. The attack is likely to occur via crafted API requests to the proxy endpoint, making remote exploitation straightforward.

Generated by OpenCVE AI on March 21, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a later release of trueleaf ApiFlow that addresses the SSRF flaw.
  • If an update is not immediately feasible, configure the proxy service to restrict outbound destinations to a whitelisted set of hosts or block internal network ranges.
  • Enable detailed logging of outbound requests from the proxy and monitor for unexpected or suspicious traffic patterns.

Generated by OpenCVE AI on March 21, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Trueleaf
Trueleaf apiflow
Vendors & Products Trueleaf
Trueleaf apiflow

Sat, 21 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in trueleaf ApiFlow 0.9.7. The impacted element is the function validateUrlSecurity of the file packages/server/src/service/proxy/http_proxy.service.ts of the component URL Validation Handler. This manipulation causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Title trueleaf ApiFlow URL Validation http_proxy.service.ts validateUrlSecurity server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Trueleaf Apiflow
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T16:25:13.688Z

Reserved: 2026-03-21T07:36:25.895Z

Link: CVE-2026-4528

cve-icon Vulnrichment

Updated: 2026-03-23T16:25:01.171Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T22:16:20.137

Modified: 2026-04-24T16:31:14.807

Link: CVE-2026-4528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:59Z

Weaknesses