CVE-2026-56769 | Huly Platform through 0.7.423, fixed in commit 68cbf8a conta… | CVSS 8.5 HIGH

Description

Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems.

Metadata

CVE ID: CVE-2026-56769
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-22 21:55 UTC
Published: 2026-06-25 18:05 UTC
Last updated: 2026-06-25 18:29 UTC
Primary CWE: CWE-918
Server-Side Request Forgery (SSRF)
Vendor / Product: hcengineering / platform
Sources: cve.org · NVD

Severity & Metrics

8.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
hcengineering	platform	—	0 ≤ 0.7.423, 68cbf8a88642d8313f151a274fb5c24dee6a2762

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	Server-Side Request Forgery (SSRF)

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N

References (4)

Researcher Disclosure https://github.com/hcengineering/platform/issues/10892
Pull Request https://github.com/hcengineering/platform/pull/10910
Patch Commit https://github.com/hcengineering/platform/commit/68cbf8a88642d8313f151a274fb5c24dee6a2762
https://www.vulncheck.com/advisories/huly-platform-server-side-request-forgery-via-import-endpoint