CVE-2026-27170
Server-Side Request Forgery in OpenSift URL Ingest Component
Publication date: 2026-02-21
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensift | opensift | to 1.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27170 is a Server-Side Request Forgery (SSRF) vulnerability in the OpenSift AI study tool, specifically in its URL ingestion feature in versions 1.1.2-alpha and below.
The vulnerability occurs because the server-side fetch behavior is overly permissive, allowing attackers to coerce OpenSift into making requests to unsafe or unintended targets, including private or localhost network resources accessible from the OpenSift host process.
This happens due to improper input validation where the system fails to adequately check or restrict URLs before fetching them, enabling potential access or probing of internal network resources.
The issue was fixed in version 1.1.3-alpha by implementing stricter validation such as blocking requests to localhost and private networks, validating DNS destinations, handling redirects safely, rejecting unsupported URL schemes, and limiting redirect hops.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to make the OpenSift server perform unauthorized requests to internal or private network resources that are normally inaccessible from outside.
Such unauthorized access can lead to information disclosure by probing or accessing sensitive internal services or data.
The CVSS score indicates a high confidentiality impact, meaning sensitive information could be exposed, but the integrity and availability impacts are low or none.
If exploited, this could compromise the security of internal networks and systems connected to the OpenSift host.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves Server-Side Request Forgery (SSRF) through the OpenSift URL ingestion endpoint, where the system may fetch attacker-controlled URLs leading to unsafe or internal network targets.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network or system, monitor for unusual outbound requests from the OpenSift host process to private, localhost, or otherwise unexpected internal IP addresses.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or commands to identify such suspicious requests. For example:'}, {'type': 'list_item', 'content': "Use tcpdump or tshark to capture outgoing HTTP requests from the OpenSift host: tcpdump -i <interface> 'tcp dst port 80 or 443'"}, {'type': 'list_item', 'content': 'Use netstat or ss to check for active connections from the OpenSift process to internal IP ranges: netstat -plant | grep opensift'}, {'type': 'list_item', 'content': 'Check application logs for URL ingestion requests that include private or localhost IP addresses or suspicious domains.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing the OpenSift logs or enabling debug logging may help identify attempts to ingest unsafe URLs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OpenSift to version 1.1.3-alpha or later, where the vulnerability has been fixed by implementing stricter URL validation and blocking unsafe requests.
If upgrading immediately is not possible, a temporary workaround is to set the environment variable OPENSIFT_ALLOW_PRIVATE_URLS=true only if you trust local-only exceptions, but this should be used with caution due to security risks.
Other mitigation steps include:
- Restrict network access from the OpenSift host process to prevent it from making requests to private or localhost IP ranges.
- Monitor and audit URL ingestion inputs to detect and block potentially malicious or unsafe URLs.
- Apply network-level controls such as firewall rules to block outbound requests to internal network addresses from the OpenSift host.