Cyber Resilience

CVE-2026-28680

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0023 13.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28680 is a critical-severity SSRF (CWE-918) vulnerability in Ghostfol Ghostfolio. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-28680 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Ghostfolio, an open source wealth management software. Prior to version 2.245.0, the manual asset import feature allows a full-read SSRF, enabling attackers to make unauthorized requests from the server. The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N), indicating critical severity due to high confidentiality impact and changed scope.

A remote, unauthenticated attacker can exploit this vulnerability by abusing the manual asset import functionality to force the Ghostfolio server to send requests to arbitrary internal or external endpoints. Successful exploitation allows exfiltration of sensitive cloud metadata, such as Instance Metadata Service (IMDS) data, or probing of internal network services, potentially leading to further compromise in cloud environments.

The issue has been addressed in Ghostfolio version 2.245.0, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to this version or later to mitigate the vulnerability, with further technical details available in the GitHub advisory (GHSA-hhv6-c34h-pwgh) and release tag (2.245.0).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This…

more

issue has been patched in version 2.245.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing app directly enables T1190 exploitation; facilitates internal service probing (T1046), cloud metadata API access (T1522), and IMDS credential exfiltration (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28785Same product: Ghostfol Ghostfolio
CVE-2026-4302Shared CWE-918
CVE-2026-28508Shared CWE-918
CVE-2026-33480Shared CWE-918
CVE-2026-35036Shared CWE-918
CVE-2026-34954Shared CWE-918
CVE-2026-22219Shared CWE-918
CVE-2026-3478Shared CWE-918
CVE-2026-30637Shared CWE-918
CVE-2026-33502Shared CWE-918

Affected Assets

ghostfol
ghostfolio
≤ 2.245.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates user-supplied inputs in the manual asset import feature to block malicious URLs that enable SSRF exploitation.

prevent

Enforces logical information flow control policies to prevent the server from making unauthorized requests to internal endpoints or cloud metadata services.

prevent

Monitors and controls application outbound network traffic at boundaries to block SSRF-induced requests to sensitive internal resources.

References