Cloudreve Loopback URL SSRF Vulnerability in Remote Download Workflow

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Cloudreve's remote download feature, prior to version 4.16.1. This issue allows non-admin users with remote download permissions to access internal URLs via the server's downloader. The vulnerability arises because the application fails to validate user-supplied URLs before processing them, leaving internal services exposed. Exploitation can be achieved by redirecting to loopback addresses or by directly accessing internal-only URLs, with the response being imported into the user's Cloudreve files.

Impact

Exploitation of this vulnerability allows access to internal HTTP services, loopback-only admin panels, local service metadata, or other network resources not directly reachable by the user.

Reproduction

To reproduce this vulnerability, first ensure that the user is authenticated and belongs to a group with remote download permissions. Then, send a POST request to the '/api/v4/workflow/download' endpoint with a URL that points to an internal service or loopback address. After the download is processed, the imported response can be accessed through Cloudreve's file management APIs.

Remediation

Users can update to Cloudreve version 4.16.1 or later, where this vulnerability has been fixed.

Added: Jul 15, 2026, 3:43 PM
Updated: Jul 15, 2026, 3:43 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
1.0
exploitability
6.2
remediation
7.7
relevance
9.8
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.