CVE-2026-56285
Published: 29 June 2026
Summary
CVE-2026-56285 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-40154
Vulnerability details
Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by…
more
the server, including cloud metadata services and internal network resources.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in unauthenticated public-facing proxy endpoint directly enables exploitation of the application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.
Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.
Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities.
Tailoring replaces or augments insecure default initializations with system-specific values and compensating controls before deployment.
Central configuration overrides or replaces insecure default initializations that would otherwise be left unchanged on each system.
SCRM practices during acquisition and configuration management address insecure default initializations shipped by vendors.
Scans detect resources initialized with insecure defaults that create exploitable conditions.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (1 rule)
- V-248823 OL 8 must not have the telnet-server package installed. via CWE-1188
RHEL 7 (1 rule)
- V-204627 SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default. via CWE-1188
Ubuntu 22.04 (1 rule)
- V-260529 Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. via CWE-1188
Ubuntu 24.04 (1 rule)
- V-270708 Ubuntu 24.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. via CWE-1188
Windows Server 2016 (1 rule)
- V-224972 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188
Windows Server 2019 (1 rule)
- V-205741 Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188
Windows Server 2022 (1 rule)
- V-254393 Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188