Cyber Resilience

CVE-2026-28508

CriticalPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 45.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28508 is a critical-severity SSRF (CWE-918) vulnerability in Withknown Known. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-28508 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the Idno social publishing platform prior to version 1.6.4. The issue stems from a logic error in the API authentication flow that allows trivial bypass of CSRF protection on the URL unfurl service endpoint. This endpoint lacks a login requirement, enabling unauthenticated remote attackers to exploit it. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low complexity, lack of privileges or user interaction, scoped impact, and high confidentiality consequences.

Any unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the unfurl endpoint, forcing the Idno server to issue arbitrary outbound HTTP requests to attacker-specified hosts. Targets can include internal network addresses and cloud instance metadata services, with the attacker able to retrieve the full response content. This enables potential reconnaissance of internal infrastructure, extraction of sensitive metadata, or further attacks via pivoting.

The issue has been addressed in Idno version 1.6.4, as detailed in the project's GitHub release notes and security advisory (GHSA-fcrh-fqxh-6fx6). Security practitioners should upgrade to 1.6.4 or later to mitigate the vulnerability, and review deployments for exposure of the unfurl endpoint.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the…

more

absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing app enables initial access (T1190), internal network/service reconnaissance (T1046), and targeting cloud metadata for discovery (T1522) and unsecured credential access (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26273Same product: Withknown Known
CVE-2026-28507Same product: Withknown Known
CVE-2026-4302Shared CWE-918
CVE-2026-28680Shared CWE-918
CVE-2026-33480Shared CWE-918
CVE-2026-35036Shared CWE-918
CVE-2026-34954Shared CWE-918
CVE-2026-22219Shared CWE-918
CVE-2026-3478Shared CWE-918
CVE-2026-30637Shared CWE-918

Affected Assets

withknown
known
≤ 1.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and authorization on the unfurl endpoint to block unauthenticated remote attackers from exploiting the SSRF vulnerability.

prevent

Validates URL inputs to the unfurl service endpoint to prevent specification of arbitrary internal or metadata hosts.

prevent

Enforces policy-based controls on outbound HTTP requests from the unfurl endpoint to restrict flows to unauthorized destinations.

References