CVE-2026-24138
Unauthenticated SSRF in FOG getversion.php Allows Internal Access
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | fog | to 1.5.10.1754 (inc) |
| unknown_vendor | fog | to 1.5.10.1754 (exc) |
| unknown_vendor | fog | From 1.6.0 (inc) to 1.6-beta.2270 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized disclosure of sensitive data by enabling unauthenticated attackers to read arbitrary files on the server and access internal HTTP services. This unauthorized data disclosure could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access. [1]
Can you explain this vulnerability to me?
CVE-2026-24138 is a high-severity unauthenticated Server-Side Request Forgery (SSRF) vulnerability in FOGProject versions up to 1.5.10.1754. It exists in the getversion.php endpoint, which accepts a user-controlled 'url' parameter. When the request includes 'newService=1', authentication checks are bypassed, allowing unauthenticated attackers to make the server send HTTP requests to arbitrary URLs or read local files accessible by the FOG service user. This happens due to a logic flaw in authorization checks that incorrectly grant access if 'newService' is present, enabling attackers to access internal services or sensitive files. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated attackers to access internal HTTP services that are normally protected, potentially exposing sensitive internal network information. Additionally, attackers can read arbitrary files on the server running FOGProject, leading to unauthorized disclosure of sensitive data. Since no authentication is required and the attack complexity is low, this can result in significant confidentiality breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by attempting to access the vulnerable endpoint with crafted requests that include the parameters `newService=1` and a controlled `url` parameter. For example, you can run commands like: curl "http://<fog-server>/fog/service/getversion.php?newService=1&url=http://127.0.0.1:9001/" to check if the server makes a request to an internal HTTP service, or curl "http://<fog-server>/fog/service/getversion.php?newService=1&url=file:///etc/passwd" to test if local files can be read. If the server responds with data from these internal or local resources without authentication, the vulnerability is present. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint `/fog/service/getversion.php` to trusted users or internal networks only, implementing network-level controls to block unauthorized requests to internal services, and monitoring for suspicious requests containing the `newService=1` parameter. Since no fixed release version is available at the time of publication, applying any available patches or updates from the FOGProject as soon as they are released is critical. Additionally, consider disabling or restricting the functionality that processes the `url` parameter until a patch is applied. [1]