{"id":"CVE-2026-56769","summary":"Huly Platform - Server-Side Request Forgery via /import Endpoint","details":"Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal services, exfiltrate responses, and replay credentials against backend systems.","modified":"2026-06-26T04:12:20.872849527Z","published":"2026-06-25T18:05:45.572Z","database_specific":{"cna_assigner":"VulnCheck","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56769.json","cwe_ids":["CWE-918"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56769.json"},{"type":"PACKAGE","url":"https://github.com/hcengineering/platform"},{"type":"FIX","url":"https://github.com/hcengineering/platform/commit/68cbf8a88642d8313f151a274fb5c24dee6a2762"},{"type":"EVIDENCE","url":"https://github.com/hcengineering/platform/issues/10892"},{"type":"REPORT","url":"https://github.com/hcengineering/platform/pull/10910"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-56769"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/huly-platform-server-side-request-forgery-via-import-endpoint"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hcengineering/platform","events":[{"introduced":"0"},{"last_affected":"b9f2f9d5b110e18e0484c90e4358f0fc8ae419bd"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"0.7.423"}]}}],"versions":["v0.7.423","v0.7.413","v0.7.411","v0.7.382","v0.7.375","v0.7.371","v0.7.353","v0.7.350","v0.7.344","v0.7.342","v0.7.314","v0.7.313","v0.7.311","v0.7.310","s0.7.308","v0.7.306","v0.7.302","v0.7.266","v0.7.252","v0.7.242","v0.7.235","s0.7.235","s0.7.234","s0.7.233","s0.7.232","s0.7.231","s0.7.230","s0.7.229","s0.7.228","s0.7.227","s0.7.226","s0.7.225","s0.7.224","s0.7.223","s0.7.222","s0.7.221","s0.7.220","s0.7.219","s0.7.218","s0.7.217","s.0.7.217","s.0.7.216","s0.7.215","s0.7.214","s0.7.213","s0.7.212","s0.7.211","s0.7.210","s0.7.209","s0.7.206","s0.7.205","s0.7.204","s0.7.203","s0.7.202","s0.7.201","s0.7.200","s0.7.199","s0.7.198","s0.7.197","s0.7.196","s0.7.195","s0.7.194","s0.7.193","s0.7.192","s0.7.191","s0.7.190","s0.7.189","s0.7.188","s0.7.187","s0.7.186","s0.7.185","s0.7.184","s0.7.183","s0.7.182","s0.7.181","s0.7.180","s0.7.179","s0.7.178","s0.7.177","s0.7.176","s0.7.175","s0.7.174","s0.7.173","s0.7.172","s0.7.171","s0.7.170","s0.7.169","s0.7.168","s0.7.167","s0.7.166","s0.7.165","s0.7.164","s0.7.163","s0.7.162","s0.7.161","s0.7.160","s0.7.159","s0.7.157","s0.7.156","s0.7.155","s0.7.154","s0.7.153","s0.7.151","s0.7.150","s0.7.149","s0.7.148","s0.7.147","s0.7.146","s0.7.145","s0.7.144","s0.7.143","s0.7.142","s0.7.141","s0.7.140","s0.7.139","s0.7.138","s0.7.137","s0.7.136","s0.7.135","s0.7.134","s0.7.133","s0.7.132","s0.7.131","s0.7.130","s0.7.129","s0.7.128","s0.7.127","s0.7.126","s0.7.125","s0.7.124","s0.7.123","s0.7.122","s0.7.121","s0.7.120","s0.7.119","s0.7.118","s0.7.117","s0.7.116","s0.7.115","s0.7.114","s0.7.113","s0.7.112","s0.7.111","s0.7.110","s0.7.109","s0.7.108","s0.7.107","s0.7.106","s0.7.105","s0.7.104","s0.7.103","s0.7.102","s0.7.101","s0.7.100","s0.7.99","s0.7.98","s0.7.97","s0.7.96","s0.7.95","s0.7.94","s0.7.93","s0.7.92","s0.7.91","s0.7.90","s0.7.89","s0.7.88","s0.7.87","s0.7.86","s0.7.85","s0.7.84","s0.7.83","s0.7.82","s0.7.81","s0.7.80","s0.7.79","s0.7.78","s0.7.77","s0.7.76","s0.7.75","s0.7.74","s0.7.73","s0.7.72","s0.7.71","s0.7.70","s0.7.69","s0.7.68","s0.7.67","s0.7.66","s0.7.65","s0.7.64","s0.7.63","s0.7.62","s0.7.61","s0.7.60","s0.7.59","s0.7.58","s0.7.57","s0.7.56","s0.7.55","s0.7.54","s0.7.53","s0.7.52","s0.7.51","s0.7.50","s0.7.49","s0.7.48","s0.7.47","s0.7.46","s0.7.45","s0.7.44","s0.7.43","s0.7.42","s0.7.41","s0.7.40","s0.7.39","s0.7.38","s0.7.37","s0.7.36","s0.7.35","s0.7.34","s0.7.33","s0.7.32","s0.7.31","s0.7.30","s0.7.29","s0.7.28","s0.7.27","s0.7.26","s0.7.25","s0.7.23","s0.7.22","s0.7.21","s0.7.20","s0.7.19","s0.7.18","s0.7.17","s0.7.16","s0.7.15","s0.7.14","s0.7.13","s0.7.12","s0.7.11","s0.7.10","s0.7.9","s0.7.8","s0.7.7","s0.7.6","s0.7.5","s0.7.4","s0.7.3","s0.7.2","s0.7.1","s0.6.446","s0.6.445","s0.6.442","v0.6.441","s0.6.440","s0.6.439","s0.6.437","s0.6.434","s0.6.433","s0.6.431","s0.6.430","v0.6.427","v0.6.425","v0.6.426","v0.6.424","v0.6.423","v0.6.422","v0.6.421","v0.6.420","v0.6.419","v0.6.418","v0.6.417","v0.6.416","v0.6.415","v0.6.414","v0.6.413","v0.6.412","v0.6.411","v0.6.410","v0.6.409","v0.6.408","v0.6.407","v0.6.406","v0.6.405","v0.6.404","v0.6.403","v0.6.402","v0.6.401","v0.6.400","v0.6.399","v0.6.398","v0.6.397","v0.6.396","v0.6.395","v0.6.394","v0.6.393","v0.6.392","v0.6.391","v0.6.390","v0.6.389","v0.6.388","v0.6.387","v0.6.386","v0.6.385","v0.6.384","v0.6.383","v0.6.382","v0.6.381","v0.6.380","v0.6.379","v0.6.378","v0.6.377","v0.6.376","v0.6.375","v0.6.374","v0.6.373","v0.6.372","v0.6.371","v0.6.370","v0.6.369","v0.6.368","v0.6.367","v0.6.366","v0.6.365","v0.6.364","v0.6.363","v0.6.362","v0.6.361","v0.6.360","v0.6.359","v0.6.358","v0.6.357","v0.6.356","v0.6.355","v0.6.354","v0.6.353","v0.6.352","v0.6.351","v0.6.350","v0.6.349","v0.6.348","v0.6.347","v0.6.346","v0.6.345","v0.6.344","v0.6.343","v0.6.342","v0.6.341","v0.6.340","v0.6.339","v0.6.334","v0.6.333","v0.6.332","v0.6.329","v0.6.325","v0.6.328","v0.6.327","v0.6.326","v0.6.324","v0.6.323","v0.6.322","v0.6.321","v0.6.320","0.6.320","v0.6.319","v0.6.318","v0.6.317","v0.6.316","v0.6.315","v0.6.314","v0.6.313","v0.6.312","v0.6.311","v0.6.310","v0.6.309","v0.6.308","v0.6.307","v0.6.306","v0.6.305","v0.6.304","v0.6.303","v0.6.302","v0.6.301","v0.6.300","v0.6.299","v0.6.298","v0.6.297","v0.6.296","v0.6.295","v0.6.294","v0.6.293","v0.6.292","v0.6.291","v0.6.290","v0.6.289","v0.6.288","v0.6.287","v0.6.286","v0.6.285a","v0.6.285","v0.6.284a","v0.6.284","v0.6.283","v0.6.282","v0.6.281a","v0.6.281","v0.6.280a","v0.6.280","v0.6.279","v0.6.278","v0.6.277","v0.6.276","v0.6.275","v0.6.274","v0.6.273","v0.6.272","v0.6.271","v0.6.271rc4","v0.6.271rc3","v0.6.271rc2","v0.6.270","v0.6.269","v0.6.268","v0.6.267","v0.6.266","v0.6.265","v0.6.264","v0.6.263","v0.6.262","v0.6.261","v0.6.260","v0.6.259","v0.6.258","v0.6.257","v0.6.256","v0.6.255","v0.6.254","v0.6.253","v0.6.252","v0.6.251","v0.6.250","v0.6.249","v0.6.248","v0.6.247","v0.6.246","v0.6.245","v0.6.243","v0.6.242","v0.6.241","v0.6.240","v0.6.239","v0.6.238","v0.6.237","v0.6.236","v0.6.235a","v0.6.235","v0.6.234","v0.6.233","v0.6.232","v0.6.231","v0.6.230","v0.6.229","v0.6.228a","v0.6.228","v0.6.227","v0.6.226","v0.6.225","v0.6.224","v0.6.223","v0.6.222","v0.6.221","v0.6.220","v0.6.219","v0.6.218","v0.6.217","v0.6.216","v0.6.215","v0.6.214","v0.6.213","v0.6.212","v0.6.211","v0.6.210a","v0.6.210","v0.6.209","v0.6.208","v0.6.207","v0.6.206","v0.6.205","v0.6.204","v0.6.203","v0.6.202","v0.6.201","v0.6.200","v0.6.198","v0.6.197","v0.6.196","v0.6.195","v0.6.194","v0.6.193","v0.6.192","v0.6.191","v0.6.190","v0.6.188","v0.6.187","v0.6.186","v0.6.185","v0.6.184","v0.6.183","v0.6.182","v0.6.181a","v0.6.181","v0.6.180","v0.6.179","v0.6.178","v0.6.177","v0.6.176","v0.6.175","v0.6.174a","v0.6.174","v0.6.173","v0.6.172","v0.6.171","v0.6.170","v0.6.169","v0.6.168","v0.6.167a","v0.6.167","v0.6.166","v0.6.165","v0.6.164","v0.6.163","v0.6.162","v0.6.161","v0.6.160","v0.6.159","v0.6.158","v0.6.157","v0.6.156","v0.6.155a","v0.6.155","v0.6.154b","v0.6.154a","v0.6.154","v0.6.153","v0.6.152","v0.6.151","v0.6.150a","v0.6.150","v0.6.149","v0.6.148","v0.6.147","v0.6.146","v0.6.145","v0.6.144","v0.6.143","v0.6.142","v0.6.141","v0.6.140","v0.6.139a","v0.6.139","v0.6.138","v0.6.137","v0.6.136","v0.6.135","v0.6.134","v0.6.133","v0.6.132","v0.6.131","v0.6.130","v0.6.129","v0.6.128","v0.6.127","v0.6.126","v0.6.125","v0.6.124","v0.6.123","v0.6.122a","v0.6.122","v0.6.121","v0.6.120a","v0.6.120","v0.6.119","v0.6.118","v0.6.117","v0.6.116","v0.6.115","v0.6.114","v0.6.113a","v0.6.113","v0.6.112b","v0.6.112a","v0.6.112","v0.6.111","v0.6.110","v0.6.109","v0.6.108","v0.6.107","v0.6.106","v0.6.105","v0.6.104","v0.6.103","v0.6.102","v0.6.101","v0.6.100","v0.6.99","v0.6.98a","v0.6.98","v0.6.97","v0.6.96","v0.6.95","v0.6.94","v0.6.93","v0.6.92","v0.6.91a","v0.6.91","v0.6.90a","v0.6.90","v0.6.89","v0.6.88","v0.6.87","v0.6.86","v0.6.85","v0.6.84","v0.6.83","v0.6.82","v0.6.81","v0.6.80a","v0.6.80","v0.6.79","v0.6.78a","v0.6.78","v0.6.77","v0.6.76b","v0.6.76a","v0.6.76","v0.6.75b","v0.6.75a","v0.6.75","v0.6.74a","v0.6.74","v0.6.73a","v0.6.73","v0.6.72b","v0.6.72a","v0.6.72","v0.6.71","v0.6.70","v0.6.69b","v0.6.69a","v0.6.69","v0.6.68a","v0.6.68","v0.6.67d","v0.6.67c","v0.6.67b","v0.6.67a","v0.6.67","v0.6.66","v0.6.65","v0.6.64","v0.6.63","v0.6.62","v0.6.61","v0.6.60a","v0.6.60","v0.6.59","v0.6.58","v0.6.57","v0.6.56","v0.6.55","v0.6.54","v0.6.53a","v0.6.53","v0.6.52","v0.6.51","v0.6.50","v0.6.49","v0.6.48","v0.6.47","v0.6.46","v0.6.45","v0.6.44","v0.6.43","v0.6.42","v0.6.41","v0.6.40","v0.6.39","v0.6.38","v0.6.37","v0.6.36","v0.6.35","v0.6.34","v0.6.33c","v0.6.33b","v0.6.33a","v0.6.33","v0.6.32b","v0.6.32a","v0.6.32","v0.6.31a","v0.6.31","v0.6.30c","v0.6.30b","v0.6.30a","v0.6.30","v0.6.29b","v0.6.29a","v0.6.29","v0.6.28","v0.6.27b","v0.6.27a","v0.6.27","v0.6.26a","v0.6.26","v0.6.25","v0.6.24","v0.6.23","v0.6.22","v0.6.21","v0.6.20","v0.6.19","v0.6.18","v0.6.17","v0.6.16","v0.6.15","v0.6.14","v0.6.13","v0.6.12","v0.6.11","v0.6.10","v0.6.9","v0.6.8","v0.6.7","v0.6.6","v0.6.5","v0.6.4","v0.6.3","v0.6.2","v0.6.1","v0.6.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-56769.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N"}]}