CVE-2026-30834
SSRF Vulnerability in PinchTab /download Endpoint Allows Data Exfiltration
Publication date: 2026-03-07
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pinchtab | pinchtab | to 0.7.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30834 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the PinchTab application, affecting versions prior to 0.7.7.'}, {'type': 'paragraph', 'content': "The vulnerability exists in the /download endpoint, where a user-supplied URL parameter is passed directly to the server's headless Chrome instance without validation or sanitization."}, {'type': 'paragraph', 'content': 'This allows an attacker with API access to make the PinchTab server request arbitrary URLs, including local system files (e.g., file:///etc/passwd), internal network services, and cloud metadata endpoints.'}, {'type': 'paragraph', 'content': 'The server then returns the full response content from these requests to the attacker, enabling exfiltration of sensitive data.'}] [1]
How can this vulnerability impact me? :
This vulnerability can severely impact confidentiality by allowing attackers to read sensitive local files, access internal network services, and retrieve cloud provider metadata.
Attackers can exploit this without any privileges or user interaction, and with low complexity, making it highly accessible.
Potential impacts include exposure of sensitive data, internal infrastructure probing, and unauthorized access to internal management interfaces or cloud credentials.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the vulnerable /download endpoint with crafted URLs that exploit the SSRF issue. For example, sending requests to the /download endpoint with URLs pointing to local files or internal services can reveal if the server is vulnerable.'}, {'type': 'list_item', 'content': 'Use curl commands to test the /download endpoint, such as:'}, {'type': 'list_item', 'content': 'curl -X GET "http://localhost:9867/download?url=file:///etc/passwd" to check if local files can be accessed.'}, {'type': 'list_item', 'content': 'curl -X GET "http://localhost:9867/download?url=http://localhost:8080/internal-admin" to check access to internal network services.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the PinchTab application to version 0.7.7 or later, where this SSRF vulnerability in the /download endpoint has been patched.
Until the upgrade can be performed, restrict or disable access to the /download endpoint to trusted users only, and avoid exposing the API externally to reduce the risk of exploitation.