Compliance Impact

The vulnerability in fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information by exploiting improper handling of loopback requests and forwarding headers.

This unauthorized access and potential data exposure could lead to non-compliance with common standards and regulations such as GDPR and HIPAA, which require protection of sensitive information and prevention of unauthorized access.

Specifically, the ability for an attacker to create privileged sources and perform server-side request forgery (SSRF) may result in exposure of personal or protected health information, violating confidentiality and data protection requirements.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized creation of privileged sources within the application and the ability to fetch arbitrary internal or external URLs.

Attackers can exploit this to execute arbitrary commands on the server and obtain sensitive information, potentially leading to data breaches, system compromise, and unauthorized access to internal network resources.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-50872 is a vulnerability in the loopback request handling component of fossar selfoss version 2.20-SNAPSHOT. It occurs when the application is deployed behind a same-host reverse proxy that does not properly preserve forwarding headers such as X-Forwarded-For or Forwarded.

Because of this misconfiguration, the application mistakenly trusts external requests as if they originate from the local loopback address (127.0.0.1). This trust allows unauthenticated attackers to send crafted HTTP POST requests to the /source endpoint with an empty title and a malicious feed URL.

As a result, attackers can create privileged sources and trigger server-side URL fetches, effectively enabling Server-Side Request Forgery (SSRF). This means attackers can execute arbitrary commands and obtain sensitive information by exploiting the application's incorrect trust in the request origin.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the /source endpoint with an empty title and a malicious feed URL, especially if these requests appear to originate from a loopback address (127.0.0.1) due to missing or improperly set forwarding headers like X-Forwarded-For or Forwarded.

You can use network monitoring or web server logs to identify such requests. For example, using command-line tools like curl or tcpdump to simulate or capture suspicious traffic might help.

• Use curl to test the endpoint: curl -X POST -d 'title=&feed_url=http://malicious.example.com' http://your-selfoss-instance/source -v
• Check web server logs for POST requests to /source with empty titles and unusual feed URLs.
• Use tcpdump or Wireshark to capture HTTP traffic and filter for POST requests to /source.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include ensuring that your reverse proxy correctly preserves forwarding headers such as X-Forwarded-For or Forwarded, so that the application does not mistakenly trust external requests as originating from the loopback address.

Additionally, restrict or validate incoming requests to the /source endpoint to prevent unauthenticated creation of privileged sources.

If possible, update or patch the selfoss application to a version that addresses this vulnerability.

Useful 0 Not Useful 0