| CVSS 3.1: | 6.5
(Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
| ||||||||||||||||
| Software: | Apache Answer | ||||||||||||||||
| Published: | 09.06.2026 | ||||||||||||||||
| CVE: | CVE-2026-34031 ↗ | ||||||||||||||||
| Credits: | Reimar Fritz | ||||||||||||||||
| External Advisory: | Check out the external advisory ↗ |
Apache Answer insufficiently validates user-provided data on the server-side, allowing users to inject externally hosted content for elements, where the client-side does not provide a respective option.
Application users can upload custom profile images in the profile settings (http://example.com:9080/users/settings/profile). The process first performs a file upload (HTTP POST http://example.com:9080/answer/api/v1/file) to store the profile picture, which is limited by the administrative settings of the application (http://example.com:9080/admin/files). The API response provides the absolute URL to the uploaded image (“data”:“http://example.com:9080/uploads/avatar/5HWogbhpYDE.png"). Then the web application submits the changes to the user profile with this URL (HTTP POST http://example.com:9080/answer/api/v1/user/info; BODY: […]“custom”:“http://example.com:9080/uploads/avatar/5HWogbhpYDE.png"). The application server does not validate the target URL nor the addressed content, allowing arbitrary content (e.g. “custom”:“http://example.com/robots.txt") to be included throughout the application, where the user profile picture is included (in HTML img src attribute).
The application also does not perform this validation for application administrators, editing the branding (http://example.com:9080/admin/branding), where the front-end also only offers the option to upload images, but effectively accepts any arbitrary string.
The functions, offering only the option to upload a new image on the client side, effectively allow manipulation of the save request, allowing users/administrators to store arbitrary strings for these parameters.
A user can upload an arbitrary (allowed) image for their profile picture:


The subsequent request to store the change for their user profile can be manipulated:


The arbitrary string or externally hosted content is then used for the img src attribute throughout the application:

This approach applies to the application branding options for administrative users. This was reported, but is not classified as a vulnerability. According to the project’s documented security model, administrators hold full system permissions and are assumed trusted, so issues confined to administrator-only functionality are out of scope (https://answer.apache.org/community/security-model/#admin-permission-security).


In unserem Hacking Cult Bootcamp durchläufst du in 4 Wochen einen strukturierten Security-Check. Von Grundlagenwissen, um zu prüfen, wo dein Team wirklich steht, bis hin zum konkreten Schwachstellen-Scan deiner Webanwendung. Und das komplett kostenlos!
Gerolfinger Str. 106
85049 Ingolstadt
+49 (841) 9937 3456
ops[LOESCH-MICH-SPAMSCHUTZ]@[LOESCH-MICH-AUCH]hackingcult.de