ProxyLogon
SSRF allowing authentication bypass and remote code execution
Severity CVSS
CRITICAL 9.8
Exploitation Shoulder
No known exploits
Fix available
Unknown
Should I care?
This matters if:
- Apps making HTTP requests based on user-supplied URLs
- Webhook or callback URL features
Not relevant if:
- No outbound HTTP calls use user input
- All URLs are validated against an allowlist
How it breaks apps
1
User-supplied URL is fetched
2
Server makes internal request
3
Attacker reaches internal services
4
Internal network scanning or data leak
Is this in your code?
Shoulder scans your codebase and tells you if CVE-2021-26855 is reachable — not just present.
npx @shoulderdev/cli trust .
Technical details
Risk by Environment
Production (public-facing)
HIGH
Patch soon. Exploitation requires specific conditions but impact is severe.
Staging
MEDIUM
Schedule patch. Review if this environment is network-accessible.
Internal services
MEDIUM
Assess exposure. Patch if the service handles sensitive data.
Local dev only
LOW
Minimal risk in isolated dev environments.
AI Development Risk
This vulnerability pattern is commonly introduced when AI generates code.
CWE-918
Server-side request forgery
LLMs frequently generate HTTP client code that follows redirects and fetches arbitrary URLs without validation.