CVE-2026-28508
Published: 06 March 2026
Summary
CVE-2026-28508 is a high-severity SSRF (CWE-918) vulnerability in Withknown Known. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces authentication and authorization on the unfurl endpoint to block unauthenticated remote attackers from exploiting the SSRF vulnerability.
Validates URL inputs to the unfurl service endpoint to prevent specification of arbitrary internal or metadata hosts.
Enforces policy-based controls on outbound HTTP requests from the unfurl endpoint to restrict flows to unauthorized destinations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing app enables initial access (T1190), internal network/service reconnaissance (T1046), and targeting cloud metadata for discovery (T1522) and unsecured credential access (T1552.005).
NVD Description
Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the…
more
absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.
Deeper analysisAI
CVE-2026-28508 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting the Idno social publishing platform prior to version 1.6.4. The issue stems from a logic error in the API authentication flow that allows trivial bypass of CSRF protection on the URL unfurl service endpoint. This endpoint lacks a login requirement, enabling unauthenticated remote attackers to exploit it. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low complexity, lack of privileges or user interaction, scoped impact, and high confidentiality consequences.
Any unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the unfurl endpoint, forcing the Idno server to issue arbitrary outbound HTTP requests to attacker-specified hosts. Targets can include internal network addresses and cloud instance metadata services, with the attacker able to retrieve the full response content. This enables potential reconnaissance of internal infrastructure, extraction of sensitive metadata, or further attacks via pivoting.
The issue has been addressed in Idno version 1.6.4, as detailed in the project's GitHub release notes and security advisory (GHSA-fcrh-fqxh-6fx6). Security practitioners should upgrade to 1.6.4 or later to mitigate the vulnerability, and review deployments for exposure of the unfurl endpoint.
Details
- CWE(s)