CVE-2026-24138
Unknown Unknown - Not Provided
Unauthenticated SSRF in FOG getversion.php Allows Internal Access

Publication date: 2026-01-23

Last updated on: 2026-01-23

Assigner: GitHub, Inc.

Description
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1754 and below contain an unauthenticated SSRF vulnerability in getversion.php which can be triggered by providing a user-controlled url parameter. It can be used to fetch both internal websites and files on the machine running FOG. This appears to be reachable without an authenticated web session when the request includes newService=1. The issue does not have a fixed release version at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-23
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24138
EUVD
EUVD-2026-4538
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
unknown_vendor fog to 1.5.10.1754 (inc)
unknown_vendor fog to 1.5.10.1754 (exc)
unknown_vendor fog From 1.6.0 (inc) to 1.6-beta.2270 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized disclosure of sensitive data by enabling unauthenticated attackers to read arbitrary files on the server and access internal HTTP services. This unauthorized data disclosure could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access. [1]

Executive Summary

CVE-2026-24138 is a high-severity unauthenticated Server-Side Request Forgery (SSRF) vulnerability in FOGProject versions up to 1.5.10.1754. It exists in the getversion.php endpoint, which accepts a user-controlled 'url' parameter. When the request includes 'newService=1', authentication checks are bypassed, allowing unauthenticated attackers to make the server send HTTP requests to arbitrary URLs or read local files accessible by the FOG service user. This happens due to a logic flaw in authorization checks that incorrectly grant access if 'newService' is present, enabling attackers to access internal services or sensitive files. [1]

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to access internal HTTP services that are normally protected, potentially exposing sensitive internal network information. Additionally, attackers can read arbitrary files on the server running FOGProject, leading to unauthorized disclosure of sensitive data. Since no authentication is required and the attack complexity is low, this can result in significant confidentiality breaches. [1]

Detection Guidance

You can detect this vulnerability by attempting to access the vulnerable endpoint with crafted requests that include the parameters `newService=1` and a controlled `url` parameter. For example, you can run commands like: curl "http://<fog-server>/fog/service/getversion.php?newService=1&url=http://127.0.0.1:9001/" to check if the server makes a request to an internal HTTP service, or curl "http://<fog-server>/fog/service/getversion.php?newService=1&url=file:///etc/passwd" to test if local files can be read. If the server responds with data from these internal or local resources without authentication, the vulnerability is present. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint `/fog/service/getversion.php` to trusted users or internal networks only, implementing network-level controls to block unauthorized requests to internal services, and monitoring for suspicious requests containing the `newService=1` parameter. Since no fixed release version is available at the time of publication, applying any available patches or updates from the FOGProject as soon as they are released is critical. Additionally, consider disabling or restricting the functionality that processes the `url` parameter until a patch is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart