← Back
CVE-2026-44313
critical
CVSS 9.1
SSRF (Server-Side Request Forgery) in ssrf (CVE-2026-44313)
Summary
SSRF in ssrf (CVE-2026-44313). Confidential information can be exposed externally. Exploitable via `GET /api/v1/archives/{linkId}`.
AI summary openai / gpt-4o
A critical vulnerability was found in Linkwarden allowing an attacker to use server-side request forgery (SSRF) to make unauthorized requests to internal systems once authenticated. This puts confidential internal data at risk of being stolen. Organizations should update their systems to version 2.13.0 or later as a protective measure.
An SSRF vulnerability exists in Linkwarden's fetchTitleAndHeaders function, allowing authenticated users to make arbitrary HTTP requests to internal services. This function only checks if a URL starts with "http://" or "https://", allowing access to malicious internal URLs. The affected versions are before 2.13.0, with the patch in version 2.13.0. No workarounds are available. The vulnerability can provide access to cloud metadata endpoints (AWS, GCP, Azure), potentially leading to the theft of IAM role credentials.
❓ What is the problem
SSRF vulnerability in Linkwarden allowing internal HTTP requests via authenticated users.
📍 Affected scope
fetchTitleAndHeaders function in fetchTitleAndHeaders.ts.
🔥 Severity
Critical severity due to high impact on confidentiality and potential credential theft.
🔧 How to fix
Update to version 2.13.0 to patch the vulnerability.
🛡️ Workaround
Not specified in the available resources; no workaround provided.
🔍 Detection
Detect access attempts to internal metadata endpoints such as AWS' 169.254.169.254 through log analysis.
Related past incidents Similar incidents extracted from past CVEs
An SSRF vulnerability in Atlassian Jira affecting Jira versions prior to 7.6.11 due to improper URL validation.
An SSRF vulnerability found in Spring Cloud Function allowing arbitrary request forgery.
SSRF vulnerability in Citrix Application Delivery Controller allowing unauthorized access to internal networks.
If this happens at your company Expected impact per business scenario
📌 When deploying Linkwarden in cloud environments such as AWS, GCP, or Azure.
Unauthorized access to cloud metadata services might occur, leading to credential theft and further system compromise.
📌 Use within a corporate intranet environment.
Confidential internal services and data can be exposed to unauthorized access or exploitation.
📌 Hosting alongside other services in a Docker network.
Inter-service security boundaries could be breached, leading to lateral movement attacks within the environment.
Recommended action
Ensure all deployments are updated to version 2.13.0 or later and monitor traffic for suspicious actions accessing metadata endpoints.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'ssrf' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `ssrf` を grep し、稼働しているサービス・バージョンを把握する。
-
2Match against affected range verify
Confirm if version satisfies `< 2.13.0`Step 1 で見つかったバージョンが影響範囲 `< 2.13.0` に該当するか照合。本番で稼働中ならインシデント扱い。
-
3Hunt for indicators of compromise detect
grep 'GET /api/v1/archives/{linkId}' /var/log/nginx/access.log | grep -E '(unusual_payload|sqli_pattern)'アクセスログで `GET /api/v1/archives/{linkId}` への異常なリクエスト (不正な認証ヘッダ・SQLメタ文字)を過去 30〜90日分捜索。WAF/SIEM があれば該当パスのアラート発火履歴を確認。
-
7Post-deployment verification verify
Replay attack against GET /api/v1/archives/{linkId} on staging to confirm patch closes the vectorパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。