CVE-2026-3189 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in feiyuchuixue sz-boot-parent versions up to 1.3.2-beta. This vulnerability affects the file download functionality in /api/admin/common/files/download, where manipulation of the url parameter can allow an attacker to forge server-side requests. The attack can be executed remotely, though exploitation is considered highly complex due to the nature of the attack vector.
Critical Impact
Attackers with low privileges can potentially exploit this SSRF vulnerability to access internal network resources, potentially leading to information disclosure from services not intended to be publicly accessible.
Affected Products
- feiyuchuixue sz-boot-parent versions up to 1.3.2-beta
- Applications using the vulnerable /api/admin/common/files/download endpoint
- Systems exposing the affected file download API without additional network segmentation
Discovery Timeline
- 2026-02-25 - CVE-2026-3189 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-3189
Vulnerability Analysis
This SSRF vulnerability (CWE-918) exists in the file download interface of sz-boot-parent. The vulnerable endpoint at /api/admin/common/files/download accepts a url parameter that is processed server-side without adequate protocol validation. This allows authenticated attackers to craft requests that the server will execute on their behalf, potentially accessing internal resources or services that should not be externally reachable.
The vulnerability requires authentication (low privileges) and is accessible over the network. While the attack complexity is high due to the specific conditions required for successful exploitation, the potential for information disclosure makes this a noteworthy security concern for deployments using this component.
Root Cause
The root cause of this vulnerability is insufficient input validation on the url parameter in the file download functionality. Prior to the patch, the application did not enforce a whitelist of allowed URL protocols, enabling attackers to potentially use various protocols (such as file://, gopher://, or internal http:// addresses) to access resources the server can reach but external users should not.
Attack Vector
The attack is network-based and requires the attacker to have low-level privileges (authenticated access). The attacker can manipulate the url parameter in requests to the /api/admin/common/files/download endpoint to:
- Access internal network services not exposed to the internet
- Scan internal ports and enumerate internal services
- Potentially read sensitive data from internal endpoints
- Bypass firewall restrictions by using the server as a proxy
The following patch demonstrates the security fix implemented to address this vulnerability:
EXISTS(1001, "已存在"),
NOT_EXISTS(1002, "不存在"),
FILE_NOT_EXISTS(1003, "文件不存在"),
- FILE_UPLOAD_EXT_ERROR(1004, "上传文件类型错误"),
+ FILE_UPLOAD_EXT_ERROR(1004, "文件类型不被允许,请检查文件扩展名和MIME类型"),
FILE_UPLOAD_SIZE_ERROR(1005, "上传文件大小不能超过10MB"),
FILE_UPLOAD_ERROR(1006, "上传文件失败"),
USERNAME_EXISTS(1007, "用户名已存在"),
Source: GitHub Commit Details
The patch introduces URL protocol whitelist validation, restricting the file download interface to only allow http and https protocols.
Detection Methods for CVE-2026-3189
Indicators of Compromise
- Unusual requests to /api/admin/common/files/download with internal IP addresses or localhost references in the url parameter
- Requests containing non-HTTP/HTTPS protocols such as file://, gopher://, or dict:// in URL parameters
- Server logs showing outbound connections to internal network ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x) initiated by the web application
Detection Strategies
- Monitor web application logs for requests to the vulnerable endpoint containing suspicious URL patterns or internal IP addresses
- Implement network monitoring to detect unusual outbound connections from web application servers to internal services
- Configure Web Application Firewall (WAF) rules to detect and block SSRF patterns in request parameters
- Review application server egress traffic for unexpected connections to internal network segments
Monitoring Recommendations
- Enable detailed access logging for the /api/admin/common/files/download endpoint
- Set up alerts for requests containing internal IP ranges or non-standard protocols in URL parameters
- Monitor for increased error rates or unusual response times that may indicate SSRF probing attempts
How to Mitigate CVE-2026-3189
Immediate Actions Required
- Upgrade sz-boot-parent to version 1.3.3-beta or later immediately
- If immediate upgrade is not possible, restrict access to the /api/admin/common/files/download endpoint
- Review application logs for any evidence of exploitation attempts
- Implement network segmentation to limit the impact of potential SSRF attacks
Patch Information
The vulnerability has been addressed in version 1.3.3-beta of sz-boot-parent. The fix (commit aefaabfd7527188bfba3c8c9eee17c316d094802) implements URL protocol whitelist validation, allowing only http and https protocols in the file download interface. The project maintainers responded professionally to the disclosure and implemented comprehensive security improvements.
For additional details, see the GitHub Release v1.3.3-beta and the security patch commit.
Workarounds
- Restrict network access from the application server to internal resources using firewall rules
- Implement a reverse proxy with URL filtering to block requests containing internal IP addresses
- Disable or restrict access to the /api/admin/common/files/download endpoint until the patch can be applied
# Example: Restrict outbound connections from web application server
# Add firewall rules to limit egress traffic to known external services only
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
