CVE-2026-3052
Published: 24 February 2026
Summary
CVE-2026-3052 is a medium-severity SSRF (CWE-918) vulnerability in Dinky Dinky. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-3052 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting DataLinkDC dinky versions up to 1.2.5. The flaw exists in the proxyUba function of the FlinkProxyController.java file, located at dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java within the Flink Proxy Controller component.
The vulnerability enables remote exploitation by an authenticated attacker with low privileges (PR:L). Per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), attacks can be launched over the network with low complexity and no user interaction, potentially resulting in low-level impacts to confidentiality, integrity, and availability through SSRF manipulations.
Advisories from VulDB and related disclosures indicate no vendor response or patches, despite early notification. References point to a public exploit in GitHub repository AnalogyC0de/public_exp (issues #7 and #3935032160), which could be used by attackers.
Notable context includes the public availability of the exploit, published alongside the CVE on 2026-02-24, increasing the risk of active exploitation in unpatched environments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7433
Vulnerability details
A vulnerability was found in DataLinkDC dinky up to 1.2.5. The impacted element is the function proxyUba of the file dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java of the component Flink Proxy Controller. Performing a manipulation results in server-side request forgery. It is possible to initiate…
more
the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in network-accessible FlinkProxyController enables direct exploitation of public-facing app (T1190) and facilitates internal host/port probing for system/service discovery (T1018/T1046) via attacker-controlled requests.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces policy-based restrictions on outbound requests originating from proxyUba, directly blocking the SSRF manipulation of target URLs.
Requires validation of URL inputs to the FlinkProxyController before any proxy request is issued, preventing crafted SSRF payloads.
Implements boundary controls that can deny or filter unauthorized outbound connections initiated by the vulnerable proxy function.