CVE-2026-27797
Unauthenticated SSRF in Homarr Dashboard Enables Internal Network Access
Publication date: 2026-03-07
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| homarr | homarr | to 1.54.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27797 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the Homarr open-source dashboard prior to version 1.54.0.
This vulnerability allows a remote attacker to make the Homarr server perform arbitrary outbound HTTP requests by exploiting a public API endpoint that accepts user-controlled URLs without proper validation.
Because the server does not restrict requests to internal or private IP ranges, attackers can use this to access internal network services, including loopback and private IP addresses, from the Homarr host or container network context.
The root cause is that the RSS feed fetching functionality accepts arbitrary URLs from unauthenticated users without restricting or validating them, enabling SSRF attacks.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform SSRF attacks through the Homarr server, enabling them to:
- Access internal network services that are normally protected and not reachable from outside.
- Reach loopback and private IP address ranges from the Homarr host or container network.
- Perform internal network discovery or port scanning.
- Interact with protected HTTP endpoints only accessible internally.
- In cloud environments, access instance metadata services (e.g., AWS metadata service at 169.254.169.254), potentially exfiltrating sensitive credentials, tokens, or configuration data.
- Enable lateral movement, privilege escalation, or full cloud account compromise depending on the permissions of the instance role or service account.
The vulnerability has a moderate severity with a CVSS v3 base score of 5.3.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by monitoring for unusual outbound HTTP requests originating from the Homarr server or container, especially requests to internal network IP ranges such as loopback (127.0.0.1) or private IP ranges. Since the vulnerability involves unauthenticated SSRF via the tRPC query `widget.rssFeed.getFeeds`, detection can include inspecting logs or network traffic for unexpected requests triggered by this endpoint.
A practical approach is to capture and analyze HTTP requests from the Homarr host or container using network monitoring tools or packet capture utilities.
- Use tcpdump or similar to monitor outbound HTTP traffic from the Homarr server: `tcpdump -i <interface> tcp and dst port 80 or 443`
- Check application logs for calls to the `widget.rssFeed.getFeeds` endpoint with unusual or unexpected URL parameters.
- If possible, enable verbose logging or debugging in Homarr to capture feed fetch requests.
Additionally, a proof of concept involves sending crafted requests to the vulnerable endpoint to trigger SSRF, which can be used in controlled testing environments to confirm the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Homarr to version 1.54.0 or later, where the vulnerability has been patched by enforcing strict authentication and permission checks on RSS feed URL access.
If upgrading immediately is not possible, consider the following interim measures:
- Restrict access to the vulnerable `widget.rssFeed.getFeeds` API endpoint to authenticated and authorized users only.
- Implement network-level controls to block outbound HTTP requests from the Homarr server to internal IP ranges and sensitive metadata service IPs (e.g., 169.254.169.254).
- Limit or monitor the number and destination of outbound HTTP requests originating from Homarr.
Longer-term, ensure that the system does not accept arbitrary URLs from unauthenticated users and that SSRF protections such as IP range blocking, DNS validation, redirect handling, timeouts, and request limits are implemented.