CVE-2026-0932 PUBLISHED

Assigner: M-Files Corporation
Reserved: 14.01.2026 Published: 01.04.2026 Updated: 01.04.2026

Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor M-Files Corporation
Product M-Files Server
Versions Default: unaffected
  • affected from 0 to 26.3.15818.5 (excl.)

Credits

  • Sina Kheirkhah (SinSinology) of watchTowr (watchTowrcyber) finder

References

Problem Types

  • CWE-918 Server-Side request forgery (SSRF) CWE

Impacts

  • CAPEC-664 Server Side Request Forgery