CVE-2026-24736
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Squidex's webhook functionality that allows attackers to make the server send HTTP requests to internal/localhost addresses and read the responses. Any Squidex instance up to version 7.21.0 with webhook rules enabled is affected. The vulnerability transforms from blind SSRF to full read SSRF because response data is logged and accessible via API.
💻 Affected Systems
- Squidex
📦 What is this software?
Squidex by Squidex.io
⚠️ Risk & Real-World Impact
Worst Case
Attackers can access internal services, read sensitive data from local services, potentially pivot to internal networks, and exploit other vulnerabilities in internal systems.
Likely Case
Attackers can read data from internal services, access metadata services (like AWS/Azure instance metadata), and potentially perform limited internal network reconnaissance.
If Mitigated
With proper network segmentation and firewall rules, impact is limited to services accessible from the Squidex server's network perspective.
🎯 Exploit Status
Exploitation requires authenticated access to configure webhook rules, but once configured, the SSRF can be triggered via various methods including manual triggers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available as of publication
Vendor Advisory: https://github.com/Squidex/squidex/security/advisories/GHSA-wxg2-953m-fg2w
Restart Required: Yes
Instructions:
No official patch available. Monitor Squidex GitHub repository for security updates and patch immediately when available.
🔧 Temporary Workarounds
Disable Webhook Rules
allTemporarily disable or restrict access to webhook rule creation functionality
Configuration dependent - modify Squidex app settings or use administrative controls
Network Segmentation
linuxRestrict Squidex server's outbound network access to only required external services
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -d ::1 -j DROP
🧯 If You Can't Patch
- Implement strict network egress filtering to block Squidex server from accessing internal/localhost addresses
- Monitor and audit all webhook rule configurations and API access logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Squidex version via admin interface or API. If version is 7.21.0 or earlier, the system is vulnerable.Check Version:
curl -X GET 'http://your-squidex-instance/api/apps' -H 'Authorization: Bearer YOUR_TOKEN' | grep versionVerify Fix Applied:
When patch becomes available, verify version is greater than 7.21.0 and test webhook functionality with localhost addresses (should be rejected).📡 Detection & Monitoring
Log Indicators:
- Webhook requests to localhost/127.0.0.1 addresses
- Unusual rule execution patterns
- API access to rule execution logs containing internal service responses
Network Indicators:
- Outbound HTTP requests from Squidex server to internal IP ranges
- Requests to metadata services (169.254.169.254, 100.100.100.200, etc.)
SIEM Query:
source="squidex-logs" AND (url="*localhost*" OR url="*127.0.0.1*" OR url="*::1*")