Skip to content
Threat Feed
high advisory

CVE-2026-8725 - CoreWorxLab CAAL SSRF Vulnerability

A server-side request forgery (SSRF) vulnerability, identified as CVE-2026-8725, exists in CoreWorxLab CAAL up to version 1.6.0, allowing remote attackers to potentially trigger internal requests.

CVE-2026-8725 is a server-side request forgery (SSRF) vulnerability affecting CoreWorxLab CAAL (version 1.6.0 and earlier). The vulnerability is located in the src/caal/webhooks.py file within the test-hass Endpoint component. An attacker can manipulate an unknown function to cause the server to make unintended HTTP requests to internal or external resources. Publicly available exploit code exists, increasing the risk of exploitation. The vendor, CoreWorxLab, was notified but did not respond. This vulnerability allows a remote, unauthenticated attacker to potentially access sensitive internal resources or trigger other actions on the internal network.

Attack Chain

  1. The attacker identifies a vulnerable CoreWorxLab CAAL instance running version 1.6.0 or earlier.
  2. The attacker crafts a malicious HTTP request targeting the test-hass endpoint.
  3. The crafted request includes a payload designed to manipulate the src/caal/webhooks.py file’s vulnerable function.
  4. The manipulated function constructs an HTTP request based on attacker-controlled parameters.
  5. The CAAL server sends the crafted HTTP request to an internal or external resource.
  6. The attacker observes the response from the targeted resource, gaining unauthorized access to internal information or services.
  7. The attacker may use the SSRF vulnerability to scan internal networks, enumerate services, and identify further attack vectors.

Impact

Successful exploitation of CVE-2026-8725 enables attackers to perform unauthorized actions on the vulnerable server’s internal network. This could lead to the disclosure of sensitive information, the compromise of internal services, or further exploitation of other vulnerabilities within the network. Since a public exploit exists, unpatched instances are at high risk of compromise.

Recommendation

  • Upgrade CoreWorxLab CAAL to a version beyond 1.6.0 that addresses CVE-2026-8725.
  • Deploy the Sigma rule Detect CVE-2026-8725 SSRF Attempt via Webhooks to detect suspicious requests targeting the vulnerable endpoint.
  • Monitor web server logs for unusual outbound connections originating from the CAAL server, which could indicate SSRF activity.

Detection coverage 2

Detect CVE-2026-8725 SSRF Attempt via Webhooks

high

Detects CVE-2026-8725 exploitation — Attempts to exploit the SSRF vulnerability in CoreWorxLab CAAL by detecting requests to the vulnerable webhooks.py endpoint with suspicious parameters.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect CVE-2026-8725 SSRF Outbound Connection

medium

Detects CVE-2026-8725 exploitation — Detects outbound connections originating from the CAAL server to unusual or internal IP addresses, potentially indicating SSRF exploitation.

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →