CVE-2026-5538 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in QingdaoU OnlineJudge up to version 1.6.1. This vulnerability affects the service_url function within the JudgeServer.service_url file, specifically at the judge_server_heartbeat endpoint. An authenticated attacker can manipulate the server to make arbitrary HTTP requests to internal or external resources, potentially leading to unauthorized access to internal services, data exfiltration, or further exploitation of the internal network.
Critical Impact
Authenticated attackers can exploit this SSRF vulnerability remotely to force the server to make requests to arbitrary destinations, potentially exposing internal services and sensitive data.
Affected Products
- QingdaoU OnlineJudge version 1.6.1 and earlier
- Systems running the vulnerable judge_server_heartbeat endpoint
- Deployments with network access to the affected component
Discovery Timeline
- April 5, 2026 - CVE-2026-5538 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5538
Vulnerability Analysis
This vulnerability is classified as Server-Side Request Forgery (SSRF), identified by CWE-918. The flaw exists in how the OnlineJudge application handles the service_url parameter within the judge_server_heartbeat endpoint. When processing heartbeat requests from judge servers, the application fails to properly validate or sanitize the provided URL, allowing an authenticated attacker to inject arbitrary URLs that the server will then request on behalf of the attacker.
SSRF vulnerabilities are particularly dangerous in cloud and containerized environments where internal metadata services (such as AWS EC2 metadata at 169.254.169.254) may be accessible. In the context of an online judge platform, this could allow attackers to probe internal infrastructure, access other services on the internal network, or exfiltrate sensitive configuration data.
Root Cause
The root cause of this vulnerability lies in insufficient input validation of the service_url parameter in the JudgeServer.service_url component. The application accepts user-controlled URL input and makes server-side requests without properly validating the target destination, protocol scheme, or IP address ranges. This allows authenticated users to specify arbitrary URLs, including those pointing to internal network resources or cloud metadata endpoints.
Attack Vector
The attack can be executed remotely over the network by an authenticated user. The attacker needs valid credentials to access the judge_server_heartbeat endpoint. Once authenticated, they can manipulate the service_url parameter to contain a URL pointing to an internal service or sensitive endpoint. The server processes this request and returns the response, effectively acting as a proxy for the attacker.
The vulnerability allows attackers to:
- Access internal services not exposed to the internet
- Query cloud provider metadata services
- Scan internal network ports and services
- Potentially bypass firewall restrictions
Detection Methods for CVE-2026-5538
Indicators of Compromise
- Unusual outbound requests from the OnlineJudge server to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints such as 169.254.169.254
- Unexpected DNS queries or HTTP requests originating from the application server to non-standard destinations
- Anomalous patterns in the service_url parameter values in application logs
Detection Strategies
- Monitor HTTP request logs for the judge_server_heartbeat endpoint with suspicious URL patterns in the service_url parameter
- Implement network-level monitoring to detect unusual outbound connections from the OnlineJudge application server
- Deploy Web Application Firewall (WAF) rules to detect and block SSRF patterns in request parameters
- Review application logs for requests containing internal IP addresses, localhost references, or cloud metadata URLs
Monitoring Recommendations
- Configure alerting for outbound requests to private IP ranges from the OnlineJudge server
- Implement logging and monitoring of all requests to the judge_server_heartbeat endpoint
- Set up network segmentation monitoring to detect lateral movement attempts
- Enable SentinelOne Singularity Platform for real-time behavioral analysis and threat detection on affected systems
How to Mitigate CVE-2026-5538
Immediate Actions Required
- Restrict access to the judge_server_heartbeat endpoint to trusted IP addresses only
- Implement strict input validation for the service_url parameter, including URL scheme whitelisting and destination validation
- Deploy network-level controls to prevent the application server from making requests to internal IP ranges
- Review and audit all judge server registrations for suspicious entries
Patch Information
The vendor (QingdaoU) was contacted about this vulnerability but did not respond. No official patch is currently available. Organizations using OnlineJudge should implement the workarounds described below and monitor the GitHub Issue Discussion and VulDB entry for updates. Consider migrating to an alternative solution if patches are not released in a timely manner.
Workarounds
- Implement a reverse proxy or WAF in front of the OnlineJudge application to filter requests containing suspicious service_url values
- Configure network egress filtering to block the application server from accessing internal resources and cloud metadata endpoints
- Apply IP whitelisting for the judge_server_heartbeat endpoint to limit access to known, trusted judge servers
- Consider disabling the judge_server_heartbeat endpoint if not actively required for operations
# Example nginx configuration to restrict access to the vulnerable endpoint
location /judge_server_heartbeat {
# Allow only trusted judge server IPs
allow 203.0.113.10;
allow 203.0.113.11;
deny all;
# Additional security headers
proxy_pass http://backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
