Executive Summary

CVE-2026-27797 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the Homarr open-source dashboard prior to version 1.54.0.

This vulnerability allows a remote attacker to make the Homarr server perform arbitrary outbound HTTP requests by exploiting a public API endpoint that accepts user-controlled URLs without proper validation.

Because the server does not restrict requests to internal or private IP ranges, attackers can use this to access internal network services, including loopback and private IP addresses, from the Homarr host or container network context.

The root cause is that the RSS feed fetching functionality accepts arbitrary URLs from unauthenticated users without restricting or validating them, enabling SSRF attacks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to perform SSRF attacks through the Homarr server, enabling them to:

• Access internal network services that are normally protected and not reachable from outside.
• Reach loopback and private IP address ranges from the Homarr host or container network.
• Perform internal network discovery or port scanning.
• Interact with protected HTTP endpoints only accessible internally.
• In cloud environments, access instance metadata services (e.g., AWS metadata service at 169.254.169.254), potentially exfiltrating sensitive credentials, tokens, or configuration data.
• Enable lateral movement, privilege escalation, or full cloud account compromise depending on the permissions of the instance role or service account.

The vulnerability has a moderate severity with a CVSS v3 base score of 5.3.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

The vulnerability can be detected by monitoring for unusual outbound HTTP requests originating from the Homarr server or container, especially requests to internal network IP ranges such as loopback (127.0.0.1) or private IP ranges. Since the vulnerability involves unauthenticated SSRF via the tRPC query `widget.rssFeed.getFeeds`, detection can include inspecting logs or network traffic for unexpected requests triggered by this endpoint.

A practical approach is to capture and analyze HTTP requests from the Homarr host or container using network monitoring tools or packet capture utilities.

• Use tcpdump or similar to monitor outbound HTTP traffic from the Homarr server: `tcpdump -i <interface> tcp and dst port 80 or 443`
• Check application logs for calls to the `widget.rssFeed.getFeeds` endpoint with unusual or unexpected URL parameters.
• If possible, enable verbose logging or debugging in Homarr to capture feed fetch requests.

Additionally, a proof of concept involves sending crafted requests to the vulnerable endpoint to trigger SSRF, which can be used in controlled testing environments to confirm the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Homarr to version 1.54.0 or later, where the vulnerability has been patched by enforcing strict authentication and permission checks on RSS feed URL access.

If upgrading immediately is not possible, consider the following interim measures:

• Restrict access to the vulnerable `widget.rssFeed.getFeeds` API endpoint to authenticated and authorized users only.
• Implement network-level controls to block outbound HTTP requests from the Homarr server to internal IP ranges and sensitive metadata service IPs (e.g., 169.254.169.254).
• Limit or monitor the number and destination of outbound HTTP requests originating from Homarr.

Longer-term, ensure that the system does not accept arbitrary URLs from unauthenticated users and that SSRF protections such as IP range blocking, DNS validation, redirect handling, timeouts, and request limits are implemented.

Useful 0 Not Useful 0