Cyber Resilience

CVE-2026-3052

MediumPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3052 is a medium-severity SSRF (CWE-918) vulnerability in Dinky Dinky. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3052 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting DataLinkDC dinky versions up to 1.2.5. The flaw exists in the proxyUba function of the FlinkProxyController.java file, located at dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java within the Flink Proxy Controller component.

The vulnerability enables remote exploitation by an authenticated attacker with low privileges (PR:L). Per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), attacks can be launched over the network with low complexity and no user interaction, potentially resulting in low-level impacts to confidentiality, integrity, and availability through SSRF manipulations.

Advisories from VulDB and related disclosures indicate no vendor response or patches, despite early notification. References point to a public exploit in GitHub repository AnalogyC0de/public_exp (issues #7 and #3935032160), which could be used by attackers.

Notable context includes the public availability of the exploit, published alongside the CVE on 2026-02-24, increasing the risk of active exploitation in unpatched environments.

EU & UK References

Vulnerability details

A vulnerability was found in DataLinkDC dinky up to 1.2.5. The impacted element is the function proxyUba of the file dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java of the component Flink Proxy Controller. Performing a manipulation results in server-side request forgery. It is possible to initiate…

more

the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
Why these techniques?

SSRF in network-accessible FlinkProxyController enables direct exploitation of public-facing app (T1190) and facilitates internal host/port probing for system/service discovery (T1018/T1046) via attacker-controlled requests.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3053Same product: Dinky Dinky
CVE-2026-3051Same product: Dinky Dinky
CVE-2026-4200Shared CWE-918
CVE-2024-13923Shared CWE-918
CVE-2026-33399Shared CWE-918
CVE-2025-1833Shared CWE-918
CVE-2026-33321Shared CWE-918
CVE-2026-7049Shared CWE-918
CVE-2026-32019Shared CWE-918
CVE-2026-27696Shared CWE-918

Affected Assets

dinky
dinky
≤ 1.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces policy-based restrictions on outbound requests originating from proxyUba, directly blocking the SSRF manipulation of target URLs.

prevent

Requires validation of URL inputs to the FlinkProxyController before any proxy request is issued, preventing crafted SSRF payloads.

prevent

Implements boundary controls that can deny or filter unauthorized outbound connections initiated by the vulnerable proxy function.

References