Executive Summary

CVE-2026-36756 is a Server-Side Request Forgery (SSRF) vulnerability found in the /plugins/-/install-from-uri endpoint of Halo version 2.22.14.

This vulnerability allows authenticated attackers to send crafted HTTP GET requests that cause the server to make requests to internal network resources.

The root cause is that the server fetches plugin data from user-supplied URIs without validating or sanitizing them, specifically in the DefaultReactiveUrlDataBufferFetcher class.

Because there is no restriction on protocols or host validation, attackers can trick the server into accessing internal services that are normally not reachable externally.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-36756 vulnerability allows authenticated attackers to perform Server-Side Request Forgery (SSRF) attacks, enabling them to scan internal resources and potentially access sensitive information within the internal network.

Such unauthorized access to internal resources and sensitive data could lead to violations of common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Specifically, if personal or protected health information is exposed due to this vulnerability, it could result in non-compliance with these regulations, leading to legal and financial consequences.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker to scan and access internal network resources that should be protected.

Such unauthorized internal scanning can expose sensitive information about internal services, potentially leading to further exploitation or data breaches.

Because the attacker can make the server perform requests on their behalf, it may also be possible to bypass network access controls or firewalls.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and analyzing HTTP GET requests made to the vulnerable endpoint `/apis/uc.api.storage.halo.run/v1alpha1/plugins/-/install-from-uri` in Halo version 2.22.14. Specifically, look for authenticated requests that attempt to access internal network addresses via this endpoint.

To detect exploitation attempts, you can use network monitoring tools or web server logs to identify suspicious requests targeting this endpoint with unusual or internal IP addresses.

• Use curl or similar tools to simulate requests and observe server behavior, for example: `curl -i -H "Authorization: Bearer <token>" "http://<halo-server>/apis/uc.api.storage.halo.run/v1alpha1/plugins/-/install-from-uri?uri=http://internal-ip"`
• Check web server access logs for GET requests to `/apis/uc.api.storage.halo.run/v1alpha1/plugins/-/install-from-uri` containing internal IP addresses or unusual URIs.
• Use network monitoring tools like Wireshark or tcpdump to capture outgoing HTTP requests from the Halo server to internal IP addresses.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint to trusted users only, as the vulnerability requires authentication.

Implement network-level controls such as firewall rules to block outbound HTTP requests from the Halo server to internal IP ranges that should not be accessible.

Apply input validation or filtering on the URI parameter to prevent requests to internal IP addresses, for example by implementing a blacklist of internal IP ranges.

Monitor and audit logs for suspicious activity targeting the `/apis/uc.api.storage.halo.run/v1alpha1/plugins/-/install-from-uri` endpoint.

Upgrade to a patched version of Halo once available or apply vendor-provided patches that address this SSRF vulnerability.

Useful 0 Not Useful 0