CVE-2026-50887
Deferred Deferred - Pending Action

SSRF in Shlink URL Title Resolution

Vulnerability report for CVE-2026-50887, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
shlink shlink 5.0.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this SSRF vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-50887 is a Server-Side Request Forgery (SSRF) vulnerability in Shlink version 5.0.1. It occurs in the automatic short URL title resolution feature, where the system fetches the content of a long URL server-side to extract the page title if no explicit title is provided during short URL creation or editing.

The vulnerability arises because the system does not restrict requests to internal addresses. An authenticated user with a valid API key can supply a crafted long URL that points to internal HTTP services. The Shlink server then makes a request to that internal resource and extracts the page title, effectively allowing the attacker to scan internal resources via SSRF.

Impact Analysis

This vulnerability can allow an attacker with valid API credentials to perform unauthorized internal network scanning by making the Shlink server send requests to internal services. This can lead to information disclosure about internal systems that are not normally accessible from outside the network.

Such internal reconnaissance can be a stepping stone for further attacks, potentially exposing sensitive internal endpoints or services that could be exploited.

Detection Guidance

This vulnerability can be detected by verifying if the Shlink server is making server-side HTTP requests to internal resources when creating or editing short URLs without an explicit title.

A proof-of-concept detection involves setting up an HTTP listener that returns a specific HTML title, then using a valid API key to create a short URL with the listener's URL as the long URL. If the Shlink server makes a GET request to the listener and returns or stores the listener's HTML title, the SSRF vulnerability is confirmed.

  • Set up a local HTTP server that returns a unique HTML title.
  • Use a command like curl to create a short URL via Shlink's API with the longUrl set to your listener's URL and no explicit title.
  • Example curl command: curl -X POST -H "X-Api-Key: <valid_api_key>" -H "Content-Type: application/json" -d '{"longUrl":"http://your-listener.local"}' https://shlink-server/api/short-urls

If the response or stored short URL data includes the HTML title from your listener, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include disabling the AUTO_RESOLVE_TITLES feature in Shlink version 5.0.1 to prevent server-side requests to internal resources when creating or editing short URLs.

Additionally, restrict or validate the longUrl parameter to prevent requests to internal or sensitive network addresses.

Ensure that API keys are tightly controlled and only given to trusted users, as exploitation requires authentication.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart