Cyber Posture

CVE-2026-28508

HighPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0014 33.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the…

more

absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces authentication and authorization on the unfurl endpoint to block unauthenticated remote attackers from exploiting the SSRF vulnerability.

SI-10 Information Input Validation good match
prevent

Validates URL inputs to the unfurl service endpoint to prevent specification of arbitrary internal or metadata hosts.

AC-4 Information Flow Enforcement good match
prevent

Enforces policy-based controls on outbound HTTP requests from the unfurl endpoint to restrict flows to unauthorized destinations.

Security SummaryAI

CVE-2026-28508 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the Idno social publishing platform prior to version 1.6.4. The issue stems from a logic error in the API authentication flow that allows trivial bypass of CSRF protection on the URL unfurl service endpoint. This endpoint lacks a login requirement, enabling unauthenticated remote attackers to exploit it. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low complexity, lack of privileges or user interaction, scoped impact, and high confidentiality consequences.

Any unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the unfurl endpoint, forcing the Idno server to issue arbitrary outbound HTTP requests to attacker-specified hosts. Targets can include internal network addresses and cloud instance metadata services, with the attacker able to retrieve the full response content. This enables potential reconnaissance of internal infrastructure, extraction of sensitive metadata, or further attacks via pivoting.

The issue has been addressed in Idno version 1.6.4, as detailed in the project's GitHub release notes and security advisory (GHSA-fcrh-fqxh-6fx6). Security practitioners should upgrade to 1.6.4 or later to mitigate the vulnerability, and review deployments for exposure of the unfurl endpoint.

Details

CWE(s)
CWE-918

Affected Products

withknown
known
≤ 1.6.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
attack.mitre.org →
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
attack.mitre.org →
Why these techniques?

SSRF in public-facing app enables initial access (T1190), internal network/service reconnaissance (T1046), and targeting cloud metadata for discovery (T1522) and unsecured credential access (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References