Description
A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness in the FileAction function of the URL Fetching component in o2oa up to version 10.0 allows an attacker to manipulate the fileUrl parameter so that the server makes HTTP requests to arbitrary internal or external resources. This ability can lead to the disclosure of internal network information, credential extraction, or the proxying of malicious content. The impact is a loss of confidentiality and potential integrity compromise of internal resources, and it is detectable only when the server is reachable by the attacker.

Affected Systems

Vendors affected are the o2oa application ecosystem. The specific affected module is FileAction.java in the URL Fetching component, with all releases up to and including 10.0 identified as vulnerable. No fixed version is documented in the provided vendor information.

Risk and Exploitability

The CVSS score of 5.3 gives the vulnerability a moderate severity rating. EPSS data is not available, so it is unclear how frequently this exploit is being used in the wild, but the existence of a publicly available exploit suggests that an attack is feasible. The vulnerability is not listed in the CISA KEV catalog. A likely attack vector is remote exploitation via a crafted HTTP request to an endpoint that invokes the vulnerable FileAction function. No specific conditions such as authentication are mentioned, which implies that any user who can invoke the function may launch the attack.

Generated by OpenCVE AI on April 28, 2026 at 23:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Submit a status update to the o2oa project and demand a fix or a replacement version for the URL Fetching component
  • Immediately disable or remove the URL Fetching feature if it is not required for business operations
  • Apply network segmentation and restrict inbound traffic to the component that hosts FileAction, limiting the potential reach of server‑side requests
  • Adopt strict outbound firewall rules to block forced HTTP requests to internal services absent explicit authorization

Generated by OpenCVE AI on April 28, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared O2oa
O2oa o2oa
Vendors & Products O2oa
O2oa o2oa

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title o2oa URL Fetching FileAction.java FileAction server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

O2oa O2oa
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T18:34:51.456Z

Reserved: 2026-04-28T10:20:47.645Z

Link: CVE-2026-7291

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-28T19:37:48.253

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7291

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:39Z

Weaknesses