Huly Platform – Server-Side Request Forgery via /import Endpoint

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N

Description

Huly Platform before commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems.

Basic Information

ID CVE-2026-56769

Source VulnCheck

Published Jun 25, 2026 at 18:05

Affected Product

Vendor hcengineering

Product platform

Affected Versions hcengineering platform 0

CWE Classification

CWE-918

References

{
    "lastseen": "",
    "description": "Huly Platform before commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems.",
    "published": "2026-06-25T18:05:45.572Z",
    "modified": "2026-06-25T18:05:45.572Z",
    "type": "cve",
    "title": "Huly Platform - Server-Side Request Forgery via /import Endpoint",
    "source": "VulnCheck",
    "references": "https://github.com/hcengineering/platform/issues/10892\nhttps://github.com/hcengineering/platform/pull/10910\nhttps://github.com/hcengineering/platform/commit/68cbf8a88642d8313f151a274fb5c24dee6a2762\nhttps://www.vulncheck.com/advisories/huly-platform-server-side-request-forgery-via-import-endpoint",
    "id": "CVE-2026-56769",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "hcengineering platform 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "platform",
    "version": "0",
    "vendor": "hcengineering",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Huly Platform – Server-Side Request Forgery via /import Endpoint_CVE-2026-56769