CVE-2026-8725: CoreWorxLab CAAL SSRF Vulnerability Publicly Exploitable
The National Vulnerability Database has identified CVE-2026-8725, a critical server-side request forgery (SSRF) vulnerability in CoreWorxLab CAAL up to version 1.6.0. This flaw, residing in the src/caal/webhooks.py file’s test-hass endpoint, allows for remote exploitation. Attackers can manipulate an unknown function to force the server to make unauthorized requests, potentially leading to information disclosure or further compromise.
Rated with a CVSS score of 7.3 (HIGH), this vulnerability is particularly concerning because a public exploit is already available. This significantly lowers the barrier for attackers, making it a prime target for opportunistic exploitation. The National Vulnerability Database notes that CoreWorxLab was contacted prior to disclosure but did not respond.
For defenders, this means immediate action is required. SSRF vulnerabilities are a gateway to internal network reconnaissance and can bypass network segmentation. Given the public exploit, any unpatched instances are at severe risk. Organizations using CoreWorxLab CAAL must prioritize patching or isolating affected systems to prevent exploitation.
What This Means For You
- If your organization uses CoreWorxLab CAAL up to version 1.6.0, assume you are vulnerable to CVE-2026-8725. This SSRF vulnerability has a public exploit, making it an immediate threat. Audit your webhooks configurations, identify all instances of CoreWorxLab CAAL, and patch or isolate them without delay. Attackers will leverage this to probe your internal network.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8725: CoreWorxLab CAAL SSRF via test-hass Endpoint
title: CVE-2026-8725: CoreWorxLab CAAL SSRF via test-hass Endpoint
id: scw-2026-05-17-ai-1
status: experimental
level: high
description: |
Detects potential exploitation of CVE-2026-8725 by looking for POST requests to the '/test-hass' endpoint with a 'webhook_url=' parameter in the query string, indicative of SSRF attempts.
author: SCW Feed Engine (AI-generated)
date: 2026-05-17
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8725/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|contains:
- '/test-hass'
cs-uri-query|contains:
- 'webhook_url='
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8725 | SSRF | CoreWorxLab CAAL up to 1.6.0 |
| CVE-2026-8725 | SSRF | src/caal/webhooks.py |
| CVE-2026-8725 | SSRF | component test-hass Endpoint |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 17, 2026 at 05:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8724 — Dataease SQL Injection
CVE-2026-8724 — A security flaw has been discovered in Dataease 2.10.20. Impacted is the function SqlparserUtils.transFilter of the file SqlparserUtils.java of the component Data Dashboard....
CVE-2026-8723 — ### Summary `qs.stringify` throws `TypeError` when
CVE-2026-8723 — ### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is...
CVE-2026-46728: Das U-Boot Signature Bypass Flaw
CVE-2026-46728 — Das U-Boot before 2026.04 allows FIT (Flat Image Tree) signature verification bypass because hashed-nodes is omitted from a hash.