CVE-2026-24138
Published: 23 January 2026
Summary
CVE-2026-24138 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AU-13 (Monitoring for Information Disclosure).
Deeper analysis
CVE-2026-24138 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the FOG Project, a free open-source cloning, imaging, rescue suite, and inventory management system. It affects versions 1.5.10.1754 and below, specifically in the getversion.php component. The flaw arises from a user-controlled 'url' parameter that allows arbitrary resource fetching when exploited.
Remote attackers can exploit this vulnerability over the network with low attack complexity, no privileges, no user interaction, and no scope change (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Unauthenticated access is possible by including the 'newService=1' parameter in requests, enabling attackers to force the FOG server to fetch internal websites and local files on the host machine, resulting in high confidentiality impact through exposure of sensitive internal resources.
The GitHub Security Advisory at https://github.com/FOGProject/fogproject/security/advisories/GHSA-79xw-c2qx-g7xj documents the issue, published on 2026-01-23. No fixed release version was available at the time of publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4538
Vulnerability details
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1754 and below contain an unauthenticated SSRF vulnerability in getversion.php which can be triggered by providing a user-controlled url parameter. It can be used to fetch both internal websites and…
more
files on the machine running FOG. This appears to be reachable without an authenticated web session when the request includes newService=1. The issue does not have a fixed release version at the time of publication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SSRF in public-facing getversion.php directly enables remote exploitation of a web app (T1190) and server-side retrieval of local/internal files/resources (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SSRF exploitation by validating and sanitizing the user-controlled 'url' parameter in getversion.php.
Mitigates SSRF impact by monitoring and controlling FOG server communications to block access to internal websites and files.
Detects unauthorized disclosures of internal resources triggered by unauthenticated SSRF requests to getversion.php.