Vulnerabilities ›

CVE-2026-5618

Medium

CWE-918 — Weakness Type

                    Published: Apr 6, 2026                      ·  Modified: Apr 9, 2026                      ·  Source: NVD                

CVSS v3

5.6

🔗 NVD Official

📄 Description (English)

A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

🤖 AI Executive Summary

CVE-2026-5618 is a Server-Side Request Forgery (SSRF) vulnerability in Kalcaddle Kodbox versions up to 1.64 affecting the shareMake/shareCheck component. The vulnerability allows remote attackers to manipulate siteFrom/siteTo parameters to perform unauthorized requests from the server. With a CVSS score of 5.6 (medium) and public exploit availability, this poses a moderate risk to organizations using vulnerable Kodbox instances, particularly those handling sensitive document sharing.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 25, 2026 00:37

🇸🇦 Saudi Arabia Impact Assessment

This SSRF vulnerability poses significant risk to Saudi government entities, financial institutions, and enterprises using Kodbox for document management and collaboration. Government agencies (under NCA oversight) and SAMA-regulated financial institutions are particularly vulnerable if Kodbox is used for internal document sharing. The vulnerability could enable attackers to access internal resources, bypass network segmentation, and potentially reach critical infrastructure systems. Healthcare organizations and energy sector entities using Kodbox for secure document exchange are also at elevated risk. The lack of vendor response increases the severity for Saudi organizations relying on this platform.

🏢 Affected Saudi Sectors

Government (NCA-regulated entities) Banking and Financial Services (SAMA-regulated) Healthcare Energy (ARAMCO and related) Telecommunications (STC and related) Education Enterprise/Corporate Legal Services

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1557 - Man-in-the-Middle (potential for internal traffic interception) T1570 - Lateral Tool Transfer (SSRF to access internal resources) T1021 - Remote Services (access to internal services via SSRF) T1040 - Traffic Sniffing (potential internal network reconnaissance) T1046 - Network Service Discovery (via SSRF to internal services)

⚖️ Saudi Risk Score (AI)

6.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all Kodbox instances in your environment running versions up to 1.64

2. Audit shareMake/shareCheck functionality logs for suspicious siteFrom/siteTo parameter manipulation

3. Implement network segmentation to restrict outbound requests from Kodbox servers

4. Monitor for SSRF indicators: unusual outbound connections, internal IP access attempts, metadata service access



Patching Guidance:

1. Contact Kalcaddle for security updates or consider alternative document management solutions

2. If patching unavailable, implement input validation on siteFrom/siteTo parameters

3. Whitelist allowed domains for share operations

4. Disable shareMake/shareCheck functionality if not required



Compensating Controls:

1. Deploy Web Application Firewall (WAF) rules to detect SSRF patterns in share parameters

2. Implement strict egress filtering on Kodbox server network interfaces

3. Use proxy/firewall to block internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16)

4. Enable detailed logging and alerting for share operations

5. Restrict Kodbox service account privileges



Detection Rules:

1. Alert on siteFrom/siteTo parameters containing: localhost, 127.0.0.1, internal IPs, cloud metadata endpoints (169.254.169.254)

2. Monitor for unusual outbound connections from Kodbox processes

3. Track failed share operations with suspicious parameter values

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع نسخ Kodbox في بيئتك التي تعمل بالإصدارات حتى 1.64

2. تدقيق سجلات وظائف shareMake/shareCheck للتلاعب المريب بمعاملات siteFrom/siteTo

3. تنفيذ تقسيم الشبكة لتقييد الطلبات الصادرة من خوادم Kodbox

4. مراقبة مؤشرات SSRF: الاتصالات الصادرة غير العادية، محاولات الوصول إلى IP الداخلية، الوصول إلى خدمات البيانات الوصفية

إرشادات التصحيح:

1. التواصل مع Kalcaddle للحصول على تحديثات أمان أو النظر في حلول إدارة المستندات البديلة

2. إذا لم يكن التصحيح متاحاً، تنفيذ التحقق من صحة الإدخال على معاملات siteFrom/siteTo

3. إدراج النطاقات المسموحة في قائمة بيضاء لعمليات المشاركة

4. تعطيل وظائف shareMake/shareCheck إذا لم تكن مطلوبة

الضوابط البديلة:

1. نشر قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط SSRF في معاملات المشاركة

2. تنفيذ تصفية الخروج الصارمة على واجهات شبكة خادم Kodbox

3. استخدام وكيل/جدار حماية لحظر نطاقات IP الداخلية

4. تفعيل السجلات التفصيلية والتنبيهات لعمليات المشاركة

5. تقييد امتيازات حساب خدمة Kodbox

قواعد الكشف:

1. التنبيه على معاملات siteFrom/siteTo التي تحتوي على: localhost، 127.0.0.1، IPs داخلية، نقاط نهاية البيانات الوصفية السحابية

2. مراقبة الاتصالات الصادرة غير العادية من عمليات Kodbox

3. تتبع عمليات المشاركة الفاشلة بقيم معاملات مريبة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies (incident response for SSRF) A.5.2.1 - Access Control (restrict Kodbox service privileges) A.5.3.1 - Cryptography (secure communication for share operations) A.5.4.1 - Physical and Environmental Security (network segmentation) A.5.5.1 - Operations Security (monitoring and logging of share functions) A.5.6.1 - Communications Security (egress filtering)

🔵 SAMA CSF

ID.AM-2 - Asset Management (identify Kodbox instances) PR.AC-1 - Access Control (restrict outbound requests) PR.DS-1 - Data Security (protect document sharing) DE.CM-1 - Detection and Analysis (monitor SSRF indicators) RS.MI-1 - Response Mitigation (implement compensating controls)

🟡 ISO 27001:2022

A.5.1.1 - Information security policies and procedures A.5.2.1 - User access management A.5.3.1 - Cryptography A.5.4.1 - Physical and environmental security A.5.5.1 - Operations security A.5.6.1 - Communications security A.5.7.1 - System acquisition, development and maintenance A.5.8.1 - Supplier relationships A.5.9.1 - Information security incident management

🟣 PCI DSS v4.0.1

Requirement 1.3 - Prohibit direct public access between the Internet and any system component in the cardholder data environment (if Kodbox handles payment data) Requirement 6.5.1 - Injection flaws (SSRF is a form of injection) Requirement 10.3 - Track and monitor all access to cardholder data environment assets

🔗 References & Sources 4

🔗

https://vuldb.com/submit/785572

cna@vuldb.com

🔗

https://vuldb.com/vuln/355408

cna@vuldb.com

🔗

https://vuldb.com/vuln/355408/cti

cna@vuldb.com

🔗

https://vulnplus-note.wetolink.com/share/3VtzyzYgcS4b

cna@vuldb.com

📊 CVSS Score

5.6

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityH — High

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score5.6

CWECWE-918

EPSS0.05%

Exploit No

Patch ✗ No

Published 2026-04-06

Source Feed nvd

🇸🇦 Saudi Risk Score

6.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-918

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-5618

Introduce Yourself

Sign In Required