CVE-2026-3511 is an XML External Entity (XXE) vulnerability classified under CWE-611 found in the XMLUtils.java component of the Slovensko.Digital Autogram application. This vulnerability arises from improper restriction of XML external entity references, allowing an attacker to craft malicious XML documents that the vulnerable XML parser processes. When a victim visits a specially crafted website, it triggers the browser or client to send a request containing the malicious XML payload to the /sign endpoint of the locally running Autogram HTTP server. This leads to Server Side Request Forgery (SSRF), enabling the attacker to make the server perform unauthorized requests to internal resources or access local filesystem files. The vulnerability does not require authentication or user interaction beyond visiting the malicious site, making it highly exploitable. The impact is primarily on confidentiality, as attackers can read sensitive files, but it does not affect data integrity or system availability. The vulnerability affects version 0 of Autogram, with no patches currently listed. Although no known exploits are reported in the wild, the high CVSS score (8.6) indicates a critical risk. The vulnerability's scope is local HTTP servers running Autogram, which may be deployed in Slovensko.Digital's digital services or related environments. The improper XML parsing and lack of external entity restrictions are the root causes, highlighting the need for secure XML processing practices.

The primary impact of CVE-2026-3511 is unauthorized disclosure of sensitive local files and internal network resources due to SSRF facilitated by XXE attacks. Organizations running the vulnerable Autogram application risk exposure of confidential data, including configuration files, credentials, or other sensitive information stored on the local filesystem. This can lead to further compromise if attackers leverage disclosed information for lateral movement or privilege escalation. Since the attack requires no authentication and minimal user interaction, the attack surface is broad, especially in environments where users may be tricked into visiting malicious websites. The vulnerability does not directly affect data integrity or availability but significantly compromises confidentiality, which can undermine trust in affected digital services. Given the application’s likely use in Slovak digital identity or signing services, the impact could extend to critical government or citizen data, raising national security concerns. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread exploitation occurs.

To mitigate CVE-2026-3511, organizations should immediately implement the following specific measures: 1) Disable or properly configure XML external entity processing in the XML parser used by Autogram to prevent processing of external entities. This may involve updating XML parser libraries or applying secure parser configurations that disallow DTDs or external entity resolution. 2) Implement strict input validation and sanitization on XML inputs received at the /sign endpoint to detect and reject malicious payloads. 3) Employ network segmentation and firewall rules to restrict the local HTTP server’s ability to make outbound requests or access sensitive internal resources, limiting SSRF impact. 4) Monitor logs for unusual requests to the /sign endpoint containing XML payloads with entity declarations or suspicious patterns. 5) Educate users about phishing risks to reduce the likelihood of visiting malicious websites that trigger exploitation. 6) Coordinate with Slovensko.Digital for official patches or updates and apply them promptly once available. 7) Consider deploying Web Application Firewalls (WAFs) with rules targeting XXE and SSRF attack signatures to provide an additional layer of defense. These targeted mitigations go beyond generic advice by focusing on XML parser hardening, network controls, and proactive detection tailored to this vulnerability’s exploitation vector.