Description
A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the component Webhook URL Handler. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-03
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The vulnerability is in the Casdoor 2.356.0 webhook URL handler. A specially crafted request allows an attacker to trigger a server‑side request forgery (SSRF), causing the Casdoor server to send arbitrary HTTP requests to any target. This could enable data exfiltration, interaction with internal services, or redirection to malicious endpoints. The flaw is classified as CWE‑918.

Affected Systems

Casdoor version 2.356.0 is the only affected product. No other versions or product variants are indicated in the data, so installations running this exact version are vulnerable.

Risk and Exploitability

The CVSS base score of 5.1 indicates a medium impact, and the EPSS score of less than 1 % suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The description explicitly states the attack can be launched remotely. It does not state whether authentication to the webhook endpoint is required, so the potential exposure may vary based on deployment configuration. Overall risk depends on what internal services can be reached via the SSRF and how exposed the webhook endpoint is.

Generated by OpenCVE AI on April 9, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any released patch for Casdoor 2.356.0.
  • If no patch, limit webhook URLs to trusted domains only.
  • Disable webhook handling if it is not required.
  • Block outgoing connections from the Casdoor server to untrusted networks using firewall or proxy.
  • Monitor logs for unexpected outbound HTTP requests and investigate anomalies.
  • Contact Casdoor support to confirm fix status or request a timeline for a patch.

Generated by OpenCVE AI on April 9, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p8c7-hjc4-gwf8 Casdoor vulnerable to SSRF via crafted Webhook URL
History

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:casbin:casdoor:2.356.0:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Casbin
Casbin casdoor
Vendors & Products Casbin
Casbin casdoor

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the component Webhook URL Handler. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Title Casdoor Webhook URL server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:ND/RL:ND/RC:ND'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Casbin Casdoor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-03T20:02:50.404Z

Reserved: 2026-04-03T07:26:01.452Z

Link: CVE-2026-5469

cve-icon Vulnrichment

Updated: 2026-04-03T20:02:45.646Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T15:16:06.420

Modified: 2026-04-09T00:14:07.627

Link: CVE-2026-5469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:15Z

Weaknesses