YunaiV yudao-cloud Admin API Endpoint create IotDataSinkHttpConfig server-side request forgery
Description
A vulnerability has been found in YunaiV yudao-cloud 2026.03. This affects the function IotDataSinkHttpConfig of the file /admin-api/iot/data-sink/create of the component Admin API Endpoint. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored SSRF in YunaiV yudao-cloud IoT module allows attackers to force server-side requests to arbitrary URLs via unvalidated HTTP sink configuration.
Vulnerability
A stored server-side request forgery (SSRF) vulnerability exists in the YunaiV yudao-cloud IoT module, version 2026.03. The flaw resides in the IotDataSinkHttpConfig handling within the /admin-api/iot/data-sink/create endpoint of the Admin API. When an authenticated administrator creates an HTTP data sink configuration, the provided URL is stored in the database without any validation of scheme, host, or IP address. Subsequently, when IoT device messages are processed, the stored URL is used directly by RestTemplate.postForObject() to make outbound HTTP requests, enabling SSRF attacks [1].
Exploitation
An attacker must first obtain valid administrator credentials to access the data sink creation endpoint. With that access, they can send a POST request to /admin-api/iot/data-sink/create containing a malicious URL (e.g., pointing to internal services or cloud metadata endpoints) in the IotDataSinkHttpConfig. Once the configuration is saved, the attacker triggers an IoT device message that causes the system to read the stored URL and execute an outbound request via RestTemplate without any IP filtering or protocol restrictions [1].
Impact
Successful exploitation allows the attacker to force the server to make arbitrary HTTP requests to internal network resources, cloud metadata services (e.g., 169.254.169.254), or other external systems. This can lead to information disclosure, lateral movement, or further compromise of the infrastructure. The SSRF is stored, meaning the malicious URL persists and can be triggered repeatedly [1].
Mitigation
As of the publication date, the vendor has not responded to disclosure and no official patch is available. Recommended mitigations include implementing strict URL validation (e.g., allow only HTTPS schemes), blocking requests to private and internal IP ranges, maintaining an allowlist of approved domains, and specifically blocking access to cloud metadata IPs such as 169.254.169.254 [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 2026.03+ 1 more
- (no CPE)range: = 2026.03
- (no CPE)range: = 2026.03
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/fakebug111/my_public_bug/blob/main/issus05.mdmitreexploit
- vuldb.com/submit/813962mitrethird-party-advisory
- vuldb.com/vuln/365445mitrevdb-entrytechnical-description
- vuldb.com/vuln/365445/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.