{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0932", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "state": "PUBLISHED", "assignerShortName": "M-Files Corporation", "dateReserved": "2026-01-14T07:38:43.377Z", "datePublished": "2026-04-01T10:03:27.785Z", "dateUpdated": "2026-04-01T12:38:30.875Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2026-04-01T10:04:00.283Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "CWE-918 Server-Side request forgery (SSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "affected": [{"vendor": "M-Files Corporation", "product": "M-Files Server", "versions": [{"status": "affected", "version": "0", "lessThan": "26.3.15818.5", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span>Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.</span>"}]}], "references": [{"url": "https://empower.m-files.com/security-advisories/CVE-2026-0932", "tags": ["vendor-advisory"]}, {"url": "https://product.m-files.com/security-advisories/cve-2026-0932/", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Sina Kheirkhah (SinSinology) of watchTowr (watchTowrcyber)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T12:38:16.581528Z", "id": "CVE-2026-0932", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T12:38:30.875Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0932", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "state": "PUBLISHED", "assignerShortName": "M-Files Corporation", "dateReserved": "2026-01-14T07:38:43.377Z", "datePublished": "2026-04-01T10:03:27.785Z", "dateUpdated": "2026-04-01T12:38:30.875Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2026-04-01T10:04:00.283Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "CWE-918 Server-Side request forgery (SSRF)", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "affected": [{"vendor": "M-Files Corporation", "product": "M-Files Server", "versions": [{"status": "affected", "version": "0", "lessThan": "26.3.15818.5", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span>Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.</span>"}]}], "references": [{"url": "https://empower.m-files.com/security-advisories/CVE-2026-0932", "tags": ["vendor-advisory"]}, {"url": "https://product.m-files.com/security-advisories/cve-2026-0932/", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Sina Kheirkhah (SinSinology) of watchTowr (watchTowrcyber)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0932", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T12:38:16.581528Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T12:38:26.492Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:m-files:m-files_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "25434133-597E-4641-8432-3D8366D9C796", "versionEndExcluding": "26.3.15818.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs."}], "id": "CVE-2026-0932", "lastModified": "2026-04-02T18:18:54.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@m-files.com", "type": "Secondary"}]}, "published": "2026-04-01T11:15:58.263", "references": [{"source": "security@m-files.com", "tags": ["Vendor Advisory"], "url": "https://empower.m-files.com/security-advisories/CVE-2026-0932"}, {"source": "security@m-files.com", "tags": ["Vendor Advisory"], "url": "https://product.m-files.com/security-advisories/cve-2026-0932/"}], "sourceIdentifier": "security@m-files.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@m-files.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.3.15818.5)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "M-Files Server", "source": "cna", "vendor": "M-Files Corporation"}, "product": "m-files_server", "vendor": "m-files"}], "analysis": {"en": {"generated_at": "2026-04-02T21:43:47.651562+00:00", "value": {"mitigation_remediation": ["Upgrade the M\u2011Files Server to version\u202f26.3 or later.", "If an immediate upgrade is not possible, restrict outbound network traffic from the server or block the specific endpoints used for co\u2011authoring.", "Monitor the server\u2019s outbound HTTP traffic for unexpected GET requests as a detection early warning."], "summary": {"action": "Patch", "impact": "Blind server\u2011side request forgery"}, "threat_synthesis": {"affected_systems": "M\u2011Files Server before version\u202f26.3, used by organizations deploying document co\u2011authoring features. The legacy co\u2011authoring connection methods present this weakness for all installations running these pre\u201126.3 releases.", "description_and_impact": "The vulnerability allows an unauthenticated external actor to trigger the M\u2011Files Server to send arbitrary HTTP GET requests, enabling the server to access internal or external resources that may contain sensitive data. Because the request originates from the server, the attacker gains a gateway to internal systems or external services, potentially exposing confidential information or facilitating further attacks. The flaw is a classic blind SSRF represented by CWE\u2011918.", "risk_and_exploitability": "The CVSS score of 6.9 reflects moderate severity; the EPSS score of less than\u202f1\u202f% indicates a low likelihood of exploitation in the wild, and the vulnerability is not part of the CISA KEV catalog. Nonetheless, the flaw can be abused remotely without authentication, exploiting network connectivity from the server to arbitrary URLs. The attack vector is inferred to be network\u2011based, in line with the description of an unauthenticated caller inducing outbound traffic."}}}}, "created": "2026-04-02T07:49:21.884936+00:00", "updated": "2026-04-03T09:19:10.363634+00:00", "vendors": ["m-files", "m-files$PRODUCT$m-files_server"]}