CVE-2026-33486: Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents

March 23, 2026

This vulnerability allows an authenticated attacker to read any file on the server’s local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files.

Field	Details
Vulnerability Class	Server-Side Request Forgery (SSRF) & Local File Inclusion (LFI)
Affected Component	`RZ\Roadiz\Documents\DownloadedFile::fromUrl()`
Prerequisites	Authenticated user with `ROLE_ACCESS_DOCUMENTS`

References

github.com/advisories/GHSA-rc55-58f4-687g
github.com/roadiz/core-bundle-dev-app
github.com/roadiz/core-bundle-dev-app/commit/7904f690a51b88b1c72c02149ebdf85fa81f19f2
github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-rc55-58f4-687g
nvd.nist.gov/vuln/detail/CVE-2026-33486

Code Behaviors & Features

Detect and mitigate CVE-2026-33486 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →