CVE-2026-9813 MEDIUM

CVE-2026-9813: FlowIntel external reference URL probe allows server-side request forgery

Vendor Flowintel

Product flowintel

Weakness CWE-918 · SSRF

Published May 28, 2026

Last update May 28, 2026

View on NVD All CVEs

CVSS base score

6.2/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:H/SA:H/S:N/RE:L/U:Green

What the vulnerability does

01Description

FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server's network context.

Key dates

02Disclosure timeline

May 28, 2026 CVE published

May 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-9813 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

CVE-2026-9813: FlowIntel external reference URL probe allows server-side request forgery

01Description

02Disclosure timeline

03References

04Related CVE