Primary

Context

Casdoor Webhook URL Server-Side Request Forgery Vulnerability

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Casdoor version 2.356.0. This issue arises in the Webhook URL Handler component, where the application fetches admin-configured webhook URLs without proper validation. As a result, an attacker with organization-admin access could manipulate the webhook to target internal services or cloud metadata endpoints, potentially exfiltrating sensitive information or scanning internal infrastructure.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where an attacker can make the server send requests to internal services or external endpoints, bypassing network restrictions and potentially accessing sensitive data or services.

Remediation

No known mitigation is available for this vulnerability.

Added: Apr 3, 2026, 3:17 PM

Updated: Apr 3, 2026, 3:17 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.4

exploitability

5.7

remediation

0.0

relevance

5.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.4

exploitability

5.7

remediation

0.0

relevance

5.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Casdoor Webhook URL Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Casdoor

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating