CVE-2026-50887
Received Received - Intake
SSRF in Shlink URL Title Resolution

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-50887
EUVD
EUVD-2026-36785
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shlink shlink 5.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50887 is a Server-Side Request Forgery (SSRF) vulnerability in Shlink version 5.0.1. It occurs in the automatic short URL title resolution feature, where the system fetches the content of a long URL server-side to extract the page title if no explicit title is provided during short URL creation or editing.

The vulnerability arises because the system does not restrict requests to internal addresses. An authenticated user with a valid API key can supply a crafted long URL that points to internal HTTP services. The Shlink server then makes a request to that internal resource and extracts the page title, effectively allowing the attacker to scan internal resources via SSRF.

Impact Analysis

This vulnerability can allow an attacker with valid API credentials to perform unauthorized internal network scanning by making the Shlink server send requests to internal services. This can lead to information disclosure about internal systems that are not normally accessible from outside the network.

Such internal reconnaissance can be a stepping stone for further attacks, potentially exposing sensitive internal endpoints or services that could be exploited.

Detection Guidance

This vulnerability can be detected by verifying if the Shlink server is making server-side HTTP requests to internal resources when creating or editing short URLs without an explicit title.

A proof-of-concept detection involves setting up an HTTP listener that returns a specific HTML title, then using a valid API key to create a short URL with the listener's URL as the long URL. If the Shlink server makes a GET request to the listener and returns or stores the listener's HTML title, the SSRF vulnerability is confirmed.

  • Set up a local HTTP server that returns a unique HTML title.
  • Use a command like curl to create a short URL via Shlink's API with the longUrl set to your listener's URL and no explicit title.
  • Example curl command: curl -X POST -H "X-Api-Key: <valid_api_key>" -H "Content-Type: application/json" -d '{"longUrl":"http://your-listener.local"}' https://shlink-server/api/short-urls

If the response or stored short URL data includes the HTML title from your listener, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include disabling the AUTO_RESOLVE_TITLES feature in Shlink version 5.0.1 to prevent server-side requests to internal resources when creating or editing short URLs.

Additionally, restrict or validate the longUrl parameter to prevent requests to internal or sensitive network addresses.

Ensure that API keys are tightly controlled and only given to trusted users, as exploitation requires authentication.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart