CVE-2026-1884 is a Server-Side Request Forgery vulnerability identified in the ZenTao project management software, specifically affecting the fetchHook function in the webhook module (module/webhook/model.php). This vulnerability allows an attacker to manipulate server-side HTTP requests by exploiting the webhook functionality, which is designed to send HTTP callbacks to specified URLs. An attacker with high privileges on the system can craft malicious webhook configurations that cause the server to send requests to arbitrary internal or external resources. This can lead to unauthorized internal network reconnaissance, access to sensitive internal services, or potential data exfiltration. The vulnerability is remotely exploitable but requires the attacker to have elevated privileges (PR:H) on the ZenTao instance, and no user interaction is needed. The CVSS v4.0 base score is 5.1, reflecting a medium severity due to limited scope and required privileges. The vendor was notified but has not issued a patch or response, and no official remediation is currently available. Although no active exploitation in the wild has been reported, a public exploit exists, increasing the risk of future attacks. The vulnerability impacts ZenTao versions up to 21.7.6-85642, widely used in software development and project management environments.

For European organizations, this SSRF vulnerability poses risks primarily to internal network security and confidentiality. If exploited, attackers with high privileges could leverage the vulnerability to scan internal network segments, access internal-only services, or exfiltrate sensitive data through crafted server requests. This could lead to lateral movement within corporate networks, exposure of confidential project management data, or disruption of internal services. Organizations relying on ZenTao for managing critical projects, especially in sectors like finance, healthcare, and government, could face operational disruptions or data breaches. The lack of vendor response and patches increases the window of exposure. Additionally, the presence of a public exploit lowers the barrier for attackers to attempt exploitation, potentially increasing targeted attacks against European entities using ZenTao. The medium severity score suggests that while the vulnerability is not trivially exploitable by external attackers without privileges, insider threats or compromised accounts could leverage it effectively.

European organizations should immediately audit their ZenTao installations to identify affected versions (up to 21.7.6-85642). Since no official patch is available, organizations should implement compensating controls such as restricting access to the ZenTao management interface to trusted administrators only, enforcing strict privilege management to limit high-privilege accounts, and monitoring webhook configurations for unauthorized changes. Network segmentation should be applied to limit the ZenTao server's ability to reach sensitive internal resources. Employ web application firewalls (WAFs) with rules to detect and block suspicious SSRF patterns in outgoing requests. Additionally, organizations should consider disabling or restricting webhook functionality if not essential. Continuous monitoring of logs for unusual outbound requests from the ZenTao server can help detect exploitation attempts. Finally, maintain communication with the vendor or community for updates or patches and plan for timely upgrades once fixes are released.