CVE-2026-7305 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Xuxueli xxl-job, a distributed task scheduling platform widely used in enterprise environments. The vulnerability exists in the triggerJob function within the XxlJobServiceImpl.java file of the xxl-job-admin component. By manipulating the addressList argument through the trigger Endpoint, an authenticated attacker can potentially forge server-side requests to arbitrary destinations.
Critical Impact
This SSRF vulnerability could allow authenticated attackers to access internal services, scan internal networks, or interact with cloud metadata endpoints from the compromised xxl-job admin server.
Note: There is ongoing dispute regarding the existence of this vulnerability. The project maintainer has stated that triggers require manual activation with login and access control, and the researcher's pull request was rejected on these grounds.
Affected Products
- Xuxueli xxl-job versions up to and including 3.3.2
Discovery Timeline
- 2026-04-28 - CVE-2026-7305 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-7305
Vulnerability Analysis
The vulnerability resides in the job triggering functionality of the xxl-job-admin component. Specifically, the triggerJob function in xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java fails to properly validate the addressList parameter before making server-side requests. This allows an authenticated user to specify arbitrary URLs or internal network addresses as the target for job execution requests.
SSRF vulnerabilities of this nature (CWE-918) can be particularly dangerous in cloud environments where metadata services are accessible, or in internal networks where the xxl-job server may have access to sensitive services that are otherwise protected from external access.
It's important to note that exploitation requires authentication and access to the trigger endpoint, which the maintainer argues provides sufficient protection. The dispute between the security researcher and project maintainer highlights the ongoing debate around vulnerability disclosure when mitigating controls exist.
Root Cause
The root cause of this vulnerability is insufficient input validation on the addressList parameter in the trigger Endpoint. The application accepts user-controlled URLs without proper sanitization or allowlist validation, enabling an attacker to redirect server-side requests to unintended destinations. The lack of URL scheme restriction and hostname validation allows requests to internal resources, localhost services, or external attacker-controlled servers.
Attack Vector
The attack can be initiated remotely through the network by any authenticated user with access to the job trigger functionality. The attacker would craft a malicious job trigger request with a manipulated addressList parameter pointing to internal services, cloud metadata endpoints (such as http://169.254.169.254/), or other sensitive resources. When the xxl-job server processes this request, it initiates a connection to the attacker-specified destination, potentially leaking sensitive information or enabling further lateral movement within the network.
The vulnerability requires authenticated access to the xxl-job admin interface, which provides some level of protection. However, in environments where multiple users have access to the admin console, or where authentication can be bypassed through other means, this SSRF could pose a significant risk.
Detection Methods for CVE-2026-7305
Indicators of Compromise
- Unusual outbound HTTP requests from the xxl-job-admin server to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Requests to cloud metadata endpoints such as 169.254.169.254 or metadata.google.internal
- Abnormal job trigger activity with custom or unusual addressList values in the trigger Endpoint logs
- Error logs indicating connection attempts to unexpected internal services
Detection Strategies
- Configure Web Application Firewalls (WAF) to monitor and alert on requests containing internal IP addresses or cloud metadata endpoints in the addressList parameter
- Implement application-level logging to capture all job trigger requests and their destination addresses for forensic analysis
- Deploy network monitoring to detect unusual egress traffic patterns from the xxl-job server
Monitoring Recommendations
- Enable detailed audit logging for all job trigger operations in xxl-job-admin
- Monitor network traffic from the xxl-job server for connections to internal services that wouldn't normally be accessed
- Set up alerts for access attempts to sensitive internal endpoints from the xxl-job application
How to Mitigate CVE-2026-7305
Immediate Actions Required
- Review and restrict access to the xxl-job admin interface to only trusted administrators
- Implement network segmentation to limit the xxl-job server's access to internal resources
- Deploy a WAF rule to inspect and block suspicious addressList values in trigger requests
- Audit job trigger logs for any suspicious activity
Patch Information
As of the last update, no official patch has been released for this vulnerability. The researcher's pull request (GitHub Pull Request #3937) was rejected by the maintainer, who considers the existing authentication and access controls sufficient. Organizations should monitor the xxl-job GitHub repository for any future security updates.
For additional context, refer to:
- GitHub Issue #3935 for the original vulnerability report
- VulDB #359960 for vulnerability database entry
Workarounds
- Implement URL allowlisting at the application level to restrict the addressList parameter to known, trusted executor addresses only
- Deploy network-level controls (firewall rules) to prevent the xxl-job server from initiating connections to sensitive internal services or cloud metadata endpoints
- Consider implementing a reverse proxy with request inspection capabilities to filter potentially malicious trigger requests before they reach the xxl-job application
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
