Description
Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems.
Published: 2026-06-25
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Huly Platform through version 0.7.423 contains an authenticated server‑side request forgery flaw in the /import endpoint of its front pod. This weakness allows authenticated workspace users to supply arbitrary URLs, causing the platform to issue outbound requests to any IP address or hostname. Attackers can use this capability to reach internal services, capture and exfiltrate HTTP responses, and replay captured credentials against backend systems. The primary consequence is information disclosure and credential theft, with potential internal network compromise if sensitive endpoints are queried.

Affected Systems

All instances of Huly Platform version 0.7.423 or earlier that use the front pod are affected. The vulnerability exists until the platform is updated to include the fix in commit 68cbf8a88642d8313f151a274fb5c24dee6a2762, which removes the unsafe URL handling from the /import endpoint.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate the CISA KEV catalog. Exploitation requires the attacker to be a legitimate authenticated workspace user; once authenticated, the attacker can generate arbitrary outbound requests and exfiltrate data or replay credentials, potentially escalating privilege within the internal network.

Generated by OpenCVE AI on June 25, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Huly Platform to a version that includes commit 68cbf8a88642d8313f151a274fb5c24dee6a2762, which removes the SSRF flaw from the /import endpoint.
  • If an immediate update is not possible, disable the /import endpoint or limit its access so that only trusted users can use it.
  • Implement outbound network controls or firewall rules to block unsanctioned internal requests from the platform’s servers, reducing the impact of a potential SSRF exploitation.

Generated by OpenCVE AI on June 25, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Huly Platform before commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems. Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems.

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Huly Platform before commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems.
Title Huly Platform - Server-Side Request Forgery via /import Endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T18:29:15.442Z

Reserved: 2026-06-22T21:55:17.942Z

Link: CVE-2026-56769

cve-icon Vulnrichment

Updated: 2026-06-25T18:29:11.301Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:30:11Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)