Cyber Resilience

CVE-2026-5469

Medium

Published: 03 April 2026

Published
03 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 14.5th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5469 is a medium-severity SSRF (CWE-918) vulnerability in Casbin Casdoor. Its CVSS base score is 5.1 (Medium).

Operationally, ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-5469 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Casdoor version 2.356.0. The weakness impacts unknown code in the Webhook URL Handler component, where manipulation enables SSRF. Published on 2026-04-03, it carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an authenticated attacker possessing high privileges (PR:H). Successful exploitation allows the attacker to manipulate the Webhook URL Handler, leading to SSRF with low impacts on confidentiality, integrity, and availability.

VulDB advisories note that the vendor was contacted early regarding this disclosure but provided no response. No patches or mitigations are detailed in the referenced sources.

EU & UK References

Vulnerability details

A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the component Webhook URL Handler. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about…

more

this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39361Shared CWE-918
CVE-2025-31117Shared CWE-918
CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-33502Shared CWE-918
CVE-2025-71258Shared CWE-918
CVE-2026-30810Shared CWE-918
CVE-2026-26150Shared CWE-918
CVE-2021-34473Shared CWE-918

Affected Assets

casbin
casdoor
2.356.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates and sanitizes webhook URL inputs to block SSRF exploitation by enforcing allowlisted schemes, hosts, and paths.

prevent

Enforces approved information flows to prevent the Webhook URL Handler from initiating unauthorized server-side requests to internal or external resources.

preventdetect

Monitors and controls communications at system boundaries to restrict and detect anomalous outbound requests triggered by SSRF in the Webhook URL Handler.

References