CVE-2026-31959

Name of the Vulnerable Software and Affected Versions Quill versions prior to 0.7.1

Description Quill, a tool for macOS binary signing and notarization, contains a Server-Side Request Forgery (SSRF) issue when retrieving Apple notarization submission logs. Exploitation requires the ability to modify responses from Apple’s notarization service, which is typically prevented by HTTPS and TLS certificate validation. However, environments with TLS-intercepting proxies, compromised certificate authorities, or other trust boundary violations are at risk. When fetching submission logs, Quill retrieves a URL from the API response without validating the scheme (e.g., https) or the host address. An attacker capable of manipulating the response can provide an arbitrary URL, causing the Quill client to make HTTP or HTTPS requests to attacker-controlled or internal network destinations. This could potentially lead to the exposure of sensitive data, such as cloud provider credentials or internal service responses. Both the Quill command-line interface (CLI) and library are affected when used to retrieve notarization submission logs.

Recommendations Update to Quill version 0.7.1 or later.