CVE-2026-6979
Received Received - Intake
Server-Side Request Forgery in devlikeapro WAHA API Handler

Publication date: 2026-04-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-25
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6979
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devlikeapro waha to 2026.3.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6979 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in the WAHA application's media URL fetch functionality.

The vulnerability occurs because the API accepts a user-supplied URL parameter which is directly used to fetch resources without any validation or filtering to block access to internal or private IP ranges.

An attacker with a valid API key and session can make the server perform arbitrary HTTP requests to internal or external resources, potentially accessing sensitive internal services or attacker-controlled endpoints.

Impact Analysis

This vulnerability can have several impacts:

  • Confidentiality: High risk due to potential access to internal HTTP services and sensitive metadata.
  • Integrity: Low to Medium risk depending on whether internal write-enabled endpoints are accessible.
  • Availability: Low to Medium risk as attackers could abuse the feature to exhaust server resources by fetching large or slow remote resources.

The attack requires a valid API key and session, but if these are exposed or used in automated contexts, the risk increases significantly.

Detection Guidance

This vulnerability can be detected by monitoring for unusual outbound HTTP requests initiated by the WAHA server, especially those targeting internal IP ranges or attacker-controlled external hosts. Since the exploit requires a valid API key and session, checking API request logs for suspicious POST requests to the media URL fetch endpoint is important.

Specifically, look for POST requests to the endpoint `/api/default/media/convert/voice` containing JSON bodies with a "url" parameter pointing to unexpected or internal addresses.

Suggested commands to detect potential exploitation attempts include:

  • Using network monitoring tools like tcpdump or Wireshark to capture outbound HTTP requests from the WAHA server, filtering for unusual destinations.
  • Example tcpdump command to capture outbound HTTP traffic: `tcpdump -i <interface> -n host <WAHA_server_IP> and tcp port 80 or 443`
  • Checking application logs for API requests with suspicious URL parameters, e.g., using grep: `grep -r 'url' /path/to/waha/logs | grep -E 'http://169.254.169.254|http://ATTACKER_HOST'`
  • Using curl or similar tools to test the API endpoint with crafted requests to verify if SSRF is possible (requires valid API key):
  • Example curl command: `curl -X POST https://<waha_server>/api/default/media/convert/voice -H 'X-Api-Key: <valid_api_key>' -H 'Content-Type: application/json' -d '{"url":"http://169.254.169.254/latest/meta-data/"}'`
Mitigation Strategies

Immediate mitigation steps include disabling URL-based media inputs if they are not required, and preferring base64 uploads instead.

Implement strict allowlists for outbound URL fetch destinations to prevent requests to unauthorized or internal IP ranges.

Block loopback, private, link-local, and metadata IP ranges after DNS resolution and redirects to prevent SSRF attacks targeting internal services.

Apply outbound egress network policies to restrict the WAHA server's ability to make arbitrary HTTP requests.

Implement per-endpoint request limits, timeouts, and safeguards against resource abuse to reduce the impact of potential SSRF exploitation.

Longer term, introduce a centralized SSRF-safe URL validator before calling the fetch method, including IP resolution and validation, protocol and port restrictions, and security regression tests.

Compliance Impact

The vulnerability allows authenticated attackers to perform server-side request forgery (SSRF), potentially accessing internal HTTP services and sensitive metadata. This can lead to unauthorized disclosure of confidential information, which may impact compliance with data protection regulations such as GDPR and HIPAA that require safeguarding sensitive data.

Because the flaw enables access to internal resources and sensitive data without proper network-level controls, it increases the risk of data breaches and unauthorized data exposure. Such incidents can violate regulatory requirements for confidentiality, integrity, and availability of protected information.

Mitigations such as strict allowlisting, blocking private IP ranges, and implementing request limits are recommended to reduce this risk and help maintain compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6979. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart