Cyber Resilience

CVE-2026-56285

HighPublic PoC

Published: 29 June 2026

Published
29 June 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 28.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-56285 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by…

more

the server, including cloud metadata services and internal network resources.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in unauthenticated public-facing proxy endpoint directly enables exploitation of the application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-48146Shared CWE-918
CVE-2026-2531Shared CWE-918
CVE-2026-35431Shared CWE-918
CVE-2023-46945Shared CWE-918
CVE-2025-1970Shared CWE-918
CVE-2026-55455Shared CWE-918
CVE-2026-10068Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-43581Shared CWE-1188
CVE-2026-9312Shared CWE-918

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-1188

Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.

addresses: CWE-1188

Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.

addresses: CWE-1188

Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities.

addresses: CWE-1188

Tailoring replaces or augments insecure default initializations with system-specific values and compensating controls before deployment.

addresses: CWE-1188

Central configuration overrides or replaces insecure default initializations that would otherwise be left unchanged on each system.

addresses: CWE-1188

SCRM practices during acquisition and configuration management address insecure default initializations shipped by vendors.

addresses: CWE-1188

Scans detect resources initialized with insecure defaults that create exploitable conditions.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248823 OL 8 must not have the telnet-server package installed. via CWE-1188
RHEL 7 (1 rule)
  • V-204627 SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default. via CWE-1188
Ubuntu 22.04 (1 rule)
  • V-260529 Ubuntu 22.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. via CWE-1188
Ubuntu 24.04 (1 rule)
  • V-270708 Ubuntu 24.04 LTS must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. via CWE-1188
Windows Server 2016 (1 rule)
  • V-224972 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188
Windows Server 2019 (1 rule)
  • V-205741 Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188
Windows Server 2022 (1 rule)
  • V-254393 Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. via CWE-1188

References