HIGH 7.3

CVE-2026-10771: CRMEB Java SSRF Vulnerability in QR Code Endpoint

A server-side request forgery (SSRF) vulnerability exists in CRMEB Java version 1.4. An attacker can manipulate the URL parameter in the RestTemplate.getForEntity function to force the server to make unintended outbound requests. This occurs in the QR code generation endpoint and requires no authentication. Since exploit code has been publicly disclosed, the risk of active exploitation is elevated.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-918
Affected products
0 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the RestTemplateUtil.java component within the base64 QR code endpoint. The RestTemplate.getForEntity method fails to properly validate or restrict the URL argument passed by callers, allowing an unauthenticated attacker to inject arbitrary URLs. When the server processes the request, it will attempt to fetch content from the attacker-controlled URL, effectively acting as a proxy. This is classified as CWE-918 (Server-Side Request Forgery). The CVSS 3.1 score of 7.3 reflects the network-accessible attack vector, low complexity, and lack of privilege requirements, combined with potential impact to confidentiality, integrity, and availability.

Business impact

An active SSRF can enable attackers to probe internal network infrastructure, access non-public cloud metadata services, exfiltrate sensitive data from internal endpoints, or pivot deeper into the organization's network. In environments where CRMEB instances run alongside other backend systems, this becomes a bridgehead for lateral movement. The public disclosure of exploit code means this vulnerability transitions rapidly from theoretical to weaponized, increasing the urgency of remediation.

Affected systems

CRMEB Java version 1.4 is confirmed affected. The vulnerability is triggered through the base64 QR code endpoint, meaning any deployment exposing this functionality is at risk. Organizations using CRMEB for e-commerce or CRM workflows should verify their installed version and exposure of the REST API.

Exploitability

Exploitability is high. The attack requires no authentication, no user interaction, and runs over the network. The attack vector is straightforward: craft an HTTP request to the affected endpoint with a malicious URL parameter. Public exploit code is available, removing the barrier to weaponization. An attacker can immediately test internal connectivity and begin reconnaissance from a compromised CRMEB instance.

Remediation

Prioritize patching CRMEB Java to a version that validates and restricts URL inputs in the RestTemplate utility. Pending availability of an official patch from the project, implement network-level controls: restrict outbound connections from CRMEB instances to only necessary external services, disable access to cloud metadata endpoints (e.g., 169.254.169.254), and isolate CRMEB from sensitive internal services. Web application firewalls (WAF) can block suspicious URL patterns in requests to the QR code endpoint.

Patch guidance

Check the official CRMEB GitHub repository and security advisories for a patched version addressing CVE-2026-10771. Verify the patch version against the vendor advisory before deployment. Apply the patch in a staging environment first to confirm no breaking changes. If no patch is available from the vendor despite early notification, consider a temporary workaround: deploy a reverse proxy in front of CRMEB that validates URL parameters before they reach the vulnerable endpoint.

Detection guidance

Monitor HTTP requests to the base64 QR code endpoint for suspicious URL parameters that reference internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), cloud metadata services, or localhost. Examine outbound connections initiated by the CRMEB process to unexpected destinations. Log and alert on any RestTemplate.getForEntity calls with non-whitelist URLs. Intrusion detection systems can flag requests containing encoded internal IPs or metadata service markers in query parameters.

Why prioritize this

Despite not yet appearing on CISA's Known Exploited Vulnerabilities (KEV) catalog, this vulnerability merits immediate attention: HIGH CVSS score (7.3), network-accessible with no authentication, public exploit code available, and confirmed lack of vendor response. SSRF vulnerabilities are consistently weaponized in real-world attacks for reconnaissance and lateral movement. Organizations should treat this as an urgent patch candidate.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) reflects a network-reachable attack requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), combined with potential impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). The score would likely increase if this vulnerability were added to the KEV catalog or if widespread exploitation were documented, potentially reaching CRITICAL if combined with downstream abuse of internal services.

Frequently asked questions

What does server-side request forgery mean in this context?

SSRF allows an attacker to trick the CRMEB server into making HTTP requests to destinations of the attacker's choosing. Instead of the server making legitimate requests, it becomes a proxy for malicious requests, potentially revealing internal services, metadata, or enabling lateral movement.

Is updating to the latest CRMEB release sufficient?

First verify the version of your current installation and compare it against the vendor's security advisories for CVE-2026-10771. The project has not yet responded to early notification, so there may not be a patched release available. Check official channels and GitHub security notices before updating.

Can network segmentation reduce the risk if patching is delayed?

Yes. Restrict CRMEB's outbound network access to only essential external endpoints. Block access to private IP ranges and cloud metadata services at the firewall level. This limits the attacker's ability to pivot or exfiltrate data, even if the SSRF is exploited.

How do I know if my CRMEB instance has been compromised via this vulnerability?

Check logs for unusual outbound connections from the CRMEB process, particularly to internal IP ranges or cloud metadata endpoints. Review HTTP access logs for suspicious URL parameters in requests to the QR code endpoint. Monitor for any unexpected data exfiltration or lateral movement attempts.

This analysis is provided for informational purposes to support vulnerability management and risk prioritization. Patch availability, vendor timelines, and affected product lists should be verified directly with CRMEB's official channels and security advisories. Organizations must conduct their own risk assessment based on their specific deployment, network architecture, and data sensitivity. SEC.co makes no warranty regarding the completeness or accuracy of vendor responses or patch release schedules. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).