CVE-2026-3052
Published: 24 February 2026
Summary
CVE-2026-3052 is a medium-severity SSRF (CWE-918) vulnerability in Dinky Dinky. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in network-accessible FlinkProxyController enables direct exploitation of public-facing app (T1190) and facilitates internal host/port probing for system/service discovery (T1018/T1046) via attacker-controlled requests.
NVD Description
A vulnerability was found in DataLinkDC dinky up to 1.2.5. The impacted element is the function proxyUba of the file dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java of the component Flink Proxy Controller. Performing a manipulation results in server-side request forgery. It is possible to initiate…
more
the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-3052 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting DataLinkDC dinky versions up to 1.2.5. The flaw exists in the proxyUba function of the FlinkProxyController.java file, located at dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java within the Flink Proxy Controller component.
The vulnerability enables remote exploitation by an authenticated attacker with low privileges (PR:L). Per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), attacks can be launched over the network with low complexity and no user interaction, potentially resulting in low-level impacts to confidentiality, integrity, and availability through SSRF manipulations.
Advisories from VulDB and related disclosures indicate no vendor response or patches, despite early notification. References point to a public exploit in GitHub repository AnalogyC0de/public_exp (issues #7 and #3935032160), which could be used by attackers.
Notable context includes the public availability of the exploit, published alongside the CVE on 2026-02-24, increasing the risk of active exploitation in unpatched environments.
Details
- CWE(s)