Login Sign Up

CVE-2026-2532

6.3 MEDIUM
SSRF

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in lintsinghua DeepAudit versions up to 3.0.3. Attackers can exploit this vulnerability remotely to make the server send unauthorized requests to internal or external systems. Organizations using DeepAudit versions 3.0.3 or earlier are affected.

💻 Affected Systems

Products:
  • lintsinghua DeepAudit
Versions: Up to and including 3.0.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the IP Address Handler component in backend/app/api/v1/endpoints/embedding_config.py

📦 What is this software?

Deepaudit by Lintsinghua

View all CVEs affecting Deepaudit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to other systems within the network.

🟠

Likely Case

Unauthorized access to internal APIs, metadata services, or cloud instance metadata leading to information disclosure.

🟢

If Mitigated

Limited impact with proper network segmentation and egress filtering in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Remote exploitation is possible without authentication based on CVE description

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.4 or 3.1.0

Vendor Advisory: https://github.com/lintsinghua/DeepAudit/releases/tag/v3.0.4

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop DeepAudit service. 3. Upgrade to version 3.0.4 or 3.1.0 using package manager or manual installation. 4. Restart DeepAudit service. 5. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict DeepAudit server's outbound network access to only required destinations

iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP

Input Validation

all

Implement input validation for IP address parameters in the embedding_config endpoint

🧯 If You Can't Patch

  • Implement strict network egress filtering to block unauthorized outbound requests
  • Deploy a web application firewall (WAF) with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check DeepAudit version: If version ≤ 3.0.3, system is vulnerable

Check Version:

Check DeepAudit configuration files or package manager for version information

Verify Fix Applied:

Verify version is 3.0.4 or higher and check that commit da853fdd8cbe9d42053b45d83f25708ba29b8b27 is present

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from DeepAudit server
  • Requests to internal IP ranges or metadata services

Network Indicators:

  • Unexpected outbound connections from DeepAudit server to internal services

SIEM Query:

source="DeepAudit" AND (dest_ip=169.254.169.254 OR dest_ip=10.* OR dest_ip=192.168.* OR dest_ip=172.16.*)

📊 Metadata

CVE ID: CVE-2026-2532
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-918
Published: February 16, 2026
Last Updated: February 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2532, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)