Server-Side Request Forgery in YunaiV yudao-cloud Admin API Endpoint
CVE-2026-9464

5.1MEDIUM

Key Information:

Vendor: Yunaiv
Status: Yudao-cloud
Vendor: CVE Published:; 25 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-9464?

A vulnerability has been identified in the YunaiV yudao-cloud 2026.03 product, specifically within the Admin API Endpoint function IotDataSinkHttpConfig. This flaw allows attackers to perform server-side request forgery (SSRF), enabling them to manipulate server requests and potentially gain unauthorized access to internal resources. The attack can be executed remotely, making it particularly dangerous. Despite early notifications to the vendor regarding this security issue, no response was received, heightening the risk of exploitation by malicious actors.

Affected Version(s)

yudao-cloud 2026.03

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-9464 - Proof of Concept

References

https://vuldb.com/vuln/365445

vdb-entrytechnical-description

https://vuldb.com/vuln/365445/cti

signaturepermissions-required

https://vuldb.com/submit/813962

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 25, 2026
👾
Exploit known to exist
May 25, 2026
Vulnerability published
May 25, 2026
Vulnerability Reserved
May 24, 2026

Credit

fakebug (VulDB User)

VulDB CNA Team

CVE-2026-9464 Data

JSON

Yunaiv