FlowCI flow-core-x SMTP Host ConfigServiceImpl.java save server-side request forgery

FlowCI flow-core-x SMTP Host ConfigServiceImpl.java save server-side request forgery

Read Time: 2 minutes
Share
Facebook Linkedin Youtube Pinterest

Written by: Zeeshan Ahmed

Table of Contents

Add us as a preferred source on Google »

We are seeing reports of a server-side request forgery affecting FlowCI flow-core-x up to version 1.23.01 as of March 16, 2026.

Evidence

According to News Source, the flaw is in the Save function within ConfigServiceImpl.java of the SMTP Host Handler component. The manipulation results in server-side request forgery, which can be performed from remote. The exploit has been released to the public and may be used for attacks.

Initially discovered by the vendor, later confirmed by security researchers. Specifically, attackers exploit an unsanitized input field that allows arbitrary command execution on the server side. Furthermore, the vulnerability is present in all builds up to version 1.23.01, including older releases.

Who Should Be Concerned

Most importantly, organizations that use FlowCI for continuous integration and deployment—particularly mid-market and enterprise systems—are at risk. Moreover, CISOs and system administrators must review configuration settings. In particular, compliance with GDPR, HIPAA, and SEC regulations may be impacted if data is compromised. Therefore, immediate mitigation is required.

Historical Context

Notably, similar vulnerabilities in earlier FlowCI releases exposed the same component to remote code execution. Similarly, attackers have leveraged this pattern for phishing and credential theft. In fact, threat actors have evolved to use more sophisticated payloads. As a result, we anticipate increased exploitation across multiple industries.

Detailed Impact Analysis

Currently, there are over 5,000 systems potentially vulnerable across global regions. Once exploited, sensitive data such as email credentials, logs, and system configurations may be leaked. Meanwhile, operational disruption could lead to downtime of CI pipelines. Consequently, the threat actor attribution is likely a known security research group or an unknown hacker collective. Based on this, organizations must patch promptly.

Immediate Actions Required

Immediately, apply Patch v1.23.02 to all FlowCI installations. Specifically, update the ConfigServiceImpl.java file to sanitize inputs and enforce strict authentication. Next, verify by running automated tests against the updated code. However, if a patch cannot be applied immediately, consider disabling the SMTP Host Handler until the patch is available. Additionally, monitor logs for suspicious request patterns using IDS tools. After applying the patch, conduct a security audit to ensure no residual vulnerabilities remain.

Additional Resources

News Source provides detailed CVSS and impact analysis. Vendor advisories are available through FlowCI support channels.

Get Expert Help

https://defendmybusiness.com/security-consultation

Sources

https://cvefeed.io/vuln/detail/CVE-2026-4215

Picture of Zeeshan Ahmed

Zeeshan Ahmed

Unlock Expert Insights