CVE-2026-5538: QingdaoU OnlineJudge SSRF - Versions 1.6.0-1.6.1
Platform
other
Component
qingdaou-onlinejudge
CVE-2026-5538 is a Server-Side Request Forgery (SSRF) vulnerability identified in QingdaoU OnlineJudge versions 1.6.0 through 1.6.1. This flaw resides within the JudgeServer component, specifically the `service_url` function of the `judge_server_heartbeat` endpoint, enabling attackers to potentially make unauthorized requests to internal services. Due to the remote accessibility of this vulnerability, it poses a significant risk. No official patch has been released at the time of publication.
How to fix
Se recomienda actualizar a una versión corregida de QingdaoU OnlineJudge que solucione la vulnerabilidad de falsificación de solicitudes del lado del servidor (SSRF) en el endpoint judge_server_heartbeat. Contactar al proveedor para obtener información sobre las versiones corregidas y los pasos de actualización. Como el proveedor no ha respondido, se recomienda investigar el código fuente para mitigar la vulnerabilidad.
Frequently asked questions
What is CVE-2026-5538?
CVE-2026-5538 is a Server-Side Request Forgery (SSRF) vulnerability affecting QingdaoU OnlineJudge versions 1.6.0 and 1.6.1. It allows attackers to make requests on behalf of the server, potentially accessing internal resources.
Am I affected by CVE-2026-5538?
You are potentially affected if you are running QingdaoU OnlineJudge version 1.6.0 or 1.6.1. Assess your environment and consider mitigation strategies if an upgrade isn't immediately possible.
How can I fix or mitigate CVE-2026-5538?
Currently, no official patch is available for CVE-2026-5538. Mitigation strategies may include restricting network access to the affected endpoint or implementing strict input validation on the `service_url` parameter.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free