CVE-2026-56769
HIGHHuly Platform - Server-Side Request Forgery via /import Endpoint
Title source: cnaDescription
Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems.
References (4)
Core 4
Core References
Exploit technical-description
exploit
Researcher Disclosure
https://github.com/hcengineering/platform/issues/10892
Patch patch
Patch Commit
https://github.com/hcengineering/platform/commit/68cbf8a88642d8313f151a274fb5c24dee6a2762
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/huly-platform-server-side-request-forgery-via-import-endpoint
Scores
CVSS v3
8.5
EPSS
0.0022
EPSS Percentile
12.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
hcengineering/platform
< 0.7.423
hcengineering/platform
68cbf8a88642d8313f151a274fb5c24dee6a2762
Published
Jun 25, 2026
Tracked Since
Jun 26, 2026