Executive Summary

CVE-2026-28508 is a critical Server-Side Request Forgery (SSRF) vulnerability in the Idno social publishing platform versions prior to 1.6.4. It exists in the URL unfurl service endpoint, where a logic error in the API authentication flow allows unauthenticated remote attackers to bypass CSRF protection.

Specifically, the endpoint intended to be protected is accessible without login, and the CSRF protections can be bypassed because the system prematurely sets an API request flag before verifying credentials. Attackers can exploit this to force the server to make arbitrary HTTP requests to any host, including internal network addresses and cloud metadata services, and retrieve the response content.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated remote attackers to make arbitrary HTTP requests from the vulnerable server to any destination, including internal network hosts and cloud instance metadata services.

• Exfiltration of sensitive data from cloud metadata services (e.g., AWS IMDSv1, GCP, Azure), potentially exposing credentials and tokens.
• Internal network reconnaissance by probing hosts and ports that are normally inaccessible externally.
• Access to internal admin interfaces, databases, caches, and internal APIs that are protected by localhost restrictions.
• Potential interaction with internal services like Redis or Memcached, which could lead to cache poisoning or data exfiltration.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the URL unfurl service endpoint for unauthorized access and SSRF behavior. Specifically, you can attempt to access the endpoint without authentication and observe if it returns content from internal or external URLs.'}, {'type': 'paragraph', 'content': 'A practical detection method is to use curl commands to send requests to the vulnerable endpoint with crafted headers that bypass CSRF protections.'}, {'type': 'list_item', 'content': "Use curl to send a GET request to the unfurl endpoint with the headers 'X-Requested-With: XMLHttpRequest', 'X-IDNO-USERNAME', and 'X-IDNO-SIGNATURE' set to any non-empty values."}, {'type': 'list_item', 'content': 'Example command: curl -H "X-Requested-With: XMLHttpRequest" -H "X-IDNO-USERNAME: any" -H "X-IDNO-SIGNATURE: any" "http://target/service/web/unfurl?url=http://127.0.0.1"'}, {'type': 'paragraph', 'content': 'If the response contains content from the internal URL (e.g., localhost), it indicates the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the patch provided in Idno version 1.6.4 which fixes the authentication logic flaw.

Specifically, the patch moves the setting of the API request flag to occur only after successful HMAC credential verification, preventing CSRF bypass.

Additionally, implement defense-in-depth by blocking private, loopback, and reserved IP address ranges in the unfurl function to prevent SSRF to internal resources.

• Upgrade Idno to version 1.6.4 or later.
• Ensure the API authentication flow correctly validates credentials before setting API request flags.
• Add IP filtering to block requests to internal IP ranges such as 127.0.0.1, 10.0.0.0/8, 169.254.169.254, and other private or reserved addresses.

Useful 0 Not Useful 0