CVE-2026-4589 is a server-side request forgery vulnerability affecting kalcaddle kodbox version 1.64. The vulnerability resides in the PathDriverUrl function of the /workspace/source-code/app/controller/explorer/editor.class.php file, specifically within the fileGet endpoint. By manipulating the 'path' parameter, an attacker can coerce the server into making arbitrary HTTP requests to internal or external systems, potentially bypassing network restrictions and accessing sensitive internal resources. The vulnerability can be exploited remotely without authentication or user interaction, requiring only low privileges on the system. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although the vendor has not responded or issued a patch, public exploit code is available, increasing the risk of exploitation. SSRF vulnerabilities can be leveraged for internal reconnaissance, accessing metadata services, or pivoting to other internal systems, making this a significant concern for affected deployments. The lack of vendor response and patch availability emphasizes the need for immediate mitigations by administrators.

The primary impact of CVE-2026-4589 is the potential for attackers to perform unauthorized internal or external network requests via the vulnerable kodbox server. This can lead to information disclosure if internal services or metadata endpoints are accessible, potentially exposing sensitive data such as credentials or configuration details. Additionally, SSRF can be a stepping stone for further attacks, including lateral movement within the network or exploitation of other internal vulnerabilities. Although the direct impact on confidentiality, integrity, and availability is rated low to medium, the broader consequences depend on the internal network architecture and the presence of other vulnerabilities. Organizations using kodbox 1.64 in environments with sensitive internal services or cloud metadata endpoints are at higher risk. The lack of vendor patches and public exploit availability increases the urgency to address this vulnerability proactively to prevent potential breaches or data leaks.

1. Restrict access to the vulnerable fileGet endpoint by implementing network-level controls such as firewalls or web application firewalls (WAFs) to limit exposure to trusted IP addresses only. 2. Apply strict input validation and sanitization on the 'path' parameter to prevent manipulation that leads to SSRF. 3. Employ outbound network filtering on the server hosting kodbox to restrict unauthorized HTTP requests to internal or sensitive external resources, including cloud metadata services. 4. Monitor server logs for unusual outbound requests or access patterns indicative of SSRF exploitation attempts. 5. If possible, upgrade to a patched version once available or consider alternative secure file management solutions. 6. Isolate the kodbox server in a segmented network zone with minimal privileges to reduce potential lateral movement. 7. Conduct regular security assessments and penetration testing focused on SSRF and related vulnerabilities to identify and remediate weaknesses promptly.