CVE-2026-5131: GREENmod Named Pipe SSRF Vulnerability

CVE-2026-5131 Overview

CVE-2026-5131 is a Server-Side Request Forgery (SSRF) vulnerability affecting GREENmod, a software solution that utilizes named pipes for inter-process communication between plugins, the web portal, and system services. The vulnerability stems from improperly configured access control lists (ACLs) on the named pipes, allowing unauthorized attackers to communicate with the pipe stream and upload arbitrary XML or JSON files. These files are then processed with the privileges of the service account, enabling SSRF attacks against any Windows system where the agent is installed that provides SMB or WebDAV communication.

Critical Impact

Attackers can exploit misconfigured named pipe ACLs to achieve Server-Side Request Forgery, potentially accessing internal network resources and Windows systems via SMB or WebDAV protocols.

Affected Products

• GREENmod versions prior to 2.8.33
• Windows systems with GREENmod agent installed providing SMB communication
• Windows systems with GREENmod agent installed providing WebDAV communication

Discovery Timeline

• 2026-04-17 - CVE-2026-5131 published to NVD
• 2026-04-17 - Last updated in NVD database

Technical Details for CVE-2026-5131

Vulnerability Analysis

This vulnerability is classified under CWE-918 (Server-Side Request Forgery). The core issue lies in the implementation of named pipe security within GREENmod's architecture. Named pipes in Windows provide an inter-process communication (IPC) mechanism, and their security relies heavily on proper ACL configuration. In vulnerable versions of GREENmod, these ACLs are not correctly enforced, creating an attack surface that allows unauthorized processes to write to the communication stream.

When an attacker successfully connects to the misconfigured named pipe, they can inject XML or JSON payloads that the service processes under its running context. Since the service typically runs with elevated privileges, this creates a privilege escalation pathway. The processed files can then be leveraged to initiate outbound requests to internal network resources via SMB or WebDAV protocols, effectively turning the compromised host into a proxy for further attacks.

Root Cause

The root cause of this vulnerability is the improper configuration of Access Control Lists (ACLs) on the named pipes used by GREENmod for communication between its components. The ACLs fail to properly restrict which processes and users can connect to and interact with the named pipe stream. This misconfiguration allows any local or network user to write data to the pipe, bypassing intended security boundaries.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can remotely connect to the improperly secured named pipe and submit malicious XML or JSON content. The GREENmod service parses and processes this content with its service account privileges.

The attack flow proceeds as follows: The attacker identifies a GREENmod installation and connects to the exposed named pipe. They then craft a malicious XML or JSON payload containing SSRF directives targeting internal resources accessible via SMB or WebDAV. When the service processes the payload, it initiates requests to the specified internal targets, potentially exposing sensitive data, internal services, or enabling lateral movement within the network.

Detection Methods for CVE-2026-5131

Indicators of Compromise

• Unexpected connections to GREENmod named pipes from unauthorized processes or remote systems
• Unusual outbound SMB or WebDAV requests originating from the GREENmod service process
• XML or JSON files processed by GREENmod containing external URL references or internal IP addresses
• Network traffic to internal resources from GREENmod service accounts that deviate from normal operational patterns

Detection Strategies

• Monitor named pipe access events using Windows Security Event logs (Event ID 5145 for shared object access)
• Implement network monitoring for anomalous SMB and WebDAV traffic originating from systems running GREENmod agents
• Deploy endpoint detection rules to identify processes connecting to GREENmod named pipes outside of expected plugin and portal components
• Configure SIEM correlation rules to detect SSRF patterns such as internal IP access requests from service accounts

Monitoring Recommendations

• Enable detailed Windows audit logging for named pipe access and file share events
• Implement network segmentation monitoring to detect unauthorized internal network traversal via SMB/WebDAV
• Establish baseline behavior for GREENmod service network activity and alert on deviations
• Review GREENmod logs for unexpected XML or JSON file processing events

How to Mitigate CVE-2026-5131

Immediate Actions Required

• Upgrade GREENmod to version 2.8.33 or later immediately to remediate the vulnerability
• Audit current named pipe permissions on GREENmod installations to identify potential exposure
• Implement network segmentation to limit SMB and WebDAV access from GREENmod agent hosts
• Review firewall rules to restrict outbound connections from systems running GREENmod services

Patch Information

Nomios has addressed this vulnerability in GREENmod version 2.8.33. Organizations should prioritize updating all GREENmod installations to this version or later. The patch corrects the named pipe ACL configuration to properly restrict access to authorized components only.

For detailed information about this vulnerability and the patch, refer to the CERT.PL Advisory and the Nomios GREENmod product page.

Workarounds

• Restrict network access to systems running GREENmod using firewall rules until patching is complete
• Implement Windows Defender Firewall rules to block unauthorized named pipe connections
• Configure the GREENmod service to run under a least-privilege account to minimize SSRF impact
• Deploy network-level controls to restrict SMB and WebDAV traffic from GREENmod hosts to only authorized destinations