CVE-2026-53607
Received Received - Intake
ApostropheCMS SSRF via Pretty-URL Host Header

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when `prettyUrls: true` is enabled on `@apostrophecms/file` (a documented SEO feature for serving uploaded files at clean URLs), the public pretty-URL handler builds the upstream URL using the raw `Host` HTTP request header. That URL is then `fetch`'ed and the response body + headers are streamed straight back to the requester. Because `Host` is fully attacker-controlled, an unauthenticated remote attacker can pivot the apostrophe process to issue outbound HTTP requests against any host it can reach on the private network. The path component is constrained to `/uploads/attachments/<cuid>-<slug>.<ext>` (built from a local-DB lookup), which keeps the impact narrow: cross-instance data exfiltration is neutralized by cuid uniqueness, but blind-SSRF residuals remain (network-topology mapping via response-code / timing differences and verbose proxy/WAF 404 body disclosure). As of time of publication, no known patched versions exist.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-53607
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophe to 4.30.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

ApostropheCMS, an open-source Node.js content management system, has a vulnerability in versions up to and including 4.30.0 when the 'prettyUrls: true' feature is enabled on '@apostrophecms/file'. This feature builds URLs using the raw 'Host' HTTP request header, which is attacker-controlled. The system then fetches the URL and streams the response back to the requester. Because the 'Host' header can be manipulated by an attacker, an unauthenticated remote attacker can cause the ApostropheCMS process to make outbound HTTP requests to any host accessible on the private network.

The vulnerability is limited by the path component, which is constrained to a specific pattern based on local database lookups, preventing cross-instance data exfiltration. However, it still allows blind Server-Side Request Forgery (SSRF) attacks, enabling attackers to map network topology through response codes, timing differences, and detailed error messages.

As of the publication date, no patched versions addressing this vulnerability are known.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to make the ApostropheCMS server send HTTP requests to arbitrary hosts within the private network. This can be used to perform network reconnaissance by mapping internal network topology through response codes and timing analysis.

Although the impact is somewhat limited because the path is constrained and cross-instance data exfiltration is prevented, the attacker can still gain information about internal network structure and potentially exploit other internal services.

The vulnerability has a CVSS base score of 3.7, indicating a low to medium severity impact, with limited confidentiality impact and no integrity or availability impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart