CVE-2026-24736 Overview
CVE-2026-24736 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting Squidex, an open source headless content management system and content management hub. The vulnerability exists in the Webhooks feature within the Rules engine, where insufficient validation of destination URLs allows authenticated users to trigger requests to arbitrary internal network resources. This elevates what would typically be a "Blind" SSRF into a "Full Read" SSRF since the server logs complete HTTP responses in the rule execution log, accessible via the API.
Critical Impact
Authenticated attackers can leverage this SSRF to access internal services, cloud metadata endpoints, and sensitive resources on the internal network, with full response data exposure through the API.
Affected Products
- Squidex versions up to and including 7.21.0
- All Squidex deployments with Rules engine Webhooks enabled
Discovery Timeline
- 2026-01-27 - CVE CVE-2026-24736 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24736
Vulnerability Analysis
This SSRF vulnerability (CWE-918) allows privileged users to manipulate the Squidex backend into making arbitrary HTTP requests to attacker-controlled destinations, including internal network addresses. The critical aspect of this vulnerability is the full response disclosure mechanism - unlike typical blind SSRF vulnerabilities where attackers cannot see responses, Squidex logs the complete HTTP response in the lastDump field of the rule execution log.
The vulnerability can be exploited to access cloud provider metadata services (such as AWS EC2 metadata at 169.254.169.254), internal APIs, configuration endpoints, and other sensitive internal resources. The changed scope indicated in the vulnerability assessment means that exploitation can impact resources beyond the vulnerable component itself.
Root Cause
The root cause is the lack of input validation on the URL parameter within the webhook configuration. The application accepts arbitrary URLs including local addresses (127.0.0.1, localhost) and internal network ranges without restriction. Combined with the response logging behavior, this creates a complete SSRF attack surface.
Attack Vector
The attack vector requires network access and high privileges (authenticated user with Rules engine access). An attacker would:
- Configure a webhook rule with a malicious URL pointing to an internal resource
- Trigger the rule execution (manually via the trigger endpoint or through content updates)
- Retrieve the full HTTP response from the lastDump field via the API
- Extract sensitive information from internal services
The vulnerability allows attackers to scan internal networks, access cloud metadata services, retrieve credentials, and potentially pivot to other internal systems. Since responses are fully logged and accessible, attackers gain complete visibility into internal service responses.
Detection Methods for CVE-2026-24736
Indicators of Compromise
- Webhook rules configured with internal IP addresses (127.0.0.1, 10.x.x.x, 172.16.x.x, 192.168.x.x)
- Webhook configurations targeting cloud metadata endpoints (e.g., 169.254.169.254)
- Unusual API requests to retrieve rule execution logs (lastDump field access patterns)
- High volume of rule trigger requests from specific users
Detection Strategies
- Monitor webhook configurations for internal/private IP address ranges and localhost references
- Implement alerting on rule execution logs containing sensitive data patterns (API keys, credentials, tokens)
- Review audit logs for unusual patterns of manual rule triggering via the API
- Deploy network monitoring to detect unexpected outbound connections from the Squidex server to internal resources
Monitoring Recommendations
- Enable detailed logging for all Rules engine webhook configurations and modifications
- Monitor egress traffic from Squidex servers for connections to internal IP ranges
- Alert on API access patterns to rule execution log endpoints that may indicate data exfiltration
- Review cloud provider metadata access logs if running in cloud environments
How to Mitigate CVE-2026-24736
Immediate Actions Required
- Audit all existing webhook configurations for internal IP addresses and localhost references
- Restrict Rules engine access to trusted administrators only
- Implement network-level controls to block Squidex servers from accessing internal resources
- Consider disabling the webhooks feature if not critical to operations until a patch is available
Patch Information
As of the publication date, no patched versions of Squidex are available. Users should monitor the GitHub Security Advisory for updates on patch availability.
Workarounds
- Deploy network segmentation to isolate Squidex servers from sensitive internal resources
- Use a web application firewall (WAF) or reverse proxy to filter outbound requests from the application
- Implement egress filtering at the network level to block connections to internal IP ranges and cloud metadata endpoints
- Restrict API access to rule execution logs through additional authentication controls
Network segmentation and egress filtering can be implemented at the infrastructure level to limit the impact of this vulnerability. Configure firewall rules to block the Squidex application server from initiating connections to internal network ranges, localhost, and cloud metadata services. This defense-in-depth approach reduces the attack surface while awaiting an official patch.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
