CVE-2026-32279: CVE-2026-32279: Server-Side Request Forgery in Connect-CMS External Page Migration

CVE-2026-32279: Server-Side Request Forgery in Connect-CMS External Page Migration

Vulnerability ID: CVE-2026-32279
CVSS Score: 6.8
Published: 2026-03-23

Connect-CMS versions 1.x through 1.41.0 and 2.x through 2.41.0 contain a Server-Side Request Forgery (SSRF) vulnerability in the External Page Migration feature. Authenticated users with administrative privileges can supply malicious URLs to force the application to issue HTTP requests to arbitrary internal network resources. This allows attackers to bypass perimeter controls and interact with internal systems, loopback interfaces, or cloud provider metadata services.

TL;DR

An authenticated SSRF in Connect-CMS allows administrators to query internal network services and cloud metadata endpoints due to missing URL validation in the Page Migration plugin.

---

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Type: Server-Side Request Forgery (SSRF)
• CWE ID: CWE-918
• CVSS v3.1 Score: 6.8 (Medium)
• Attack Vector: Network
• Privileges Required: High (Administrator)
• Impact: Confidentiality (High), Integrity (None), Availability (None)
• CISA KEV Status: Not Listed

Affected Systems

• Connect-CMS 1.x series up to 1.41.0
• Connect-CMS 2.x series up to 2.41.0
• Connect-CMS 1.x: <= 1.41.0 (Fixed in: 1.41.1)
• Connect-CMS 2.x: <= 2.41.0 (Fixed in: 2.41.1)

Code Analysis

Commit: 617a874

Validation Logic: Introduces UrlUtils::isGlobalHttpUrl for strict destination checking.

Commit: 4a1a64a

Proxy and Hardening: Disables automatic redirects, enforces middleware integrity, and strips .html upload extension.

Mitigation Strategies

• Upgrade Connect-CMS to a patched version (1.41.1 or 2.41.1).
• Implement strict egress filtering on the host firewall to block outbound connections to internal IP ranges (RFC 1918) and loopback addresses.
• Enforce IMDSv2 on all cloud compute instances to prevent SSRF-based metadata extraction.
• Monitor outbound network traffic from the application server for anomalous connections.

Remediation Steps:

1. Identify the current version of Connect-CMS running in the environment.
2. Backup the application database and configuration files.
3. Apply the patch by upgrading to version 1.41.1 (for 1.x installations) or 2.41.1 (for 2.x installations).
4. Verify the integrity of the Page Management Plugin configuration post-upgrade.
5. Validate that egress firewall rules prevent the application server from initiating connections to 169.254.169.254.

References

• GitHub Security Advisory GHSA-jh46-85jr-6ph9
• Fix Commit (Validation Logic)
• Fix Commit (Proxy and Hardening)
• Release v1.41.1
• Release v2.41.1

---

Read the full report for CVE-2026-32279 on our website for more details including interactive diagrams and full exploit analysis.