Pinpoint Through SSRF in Webhook Registration Endpoint

Executive Summary

CVE-2026-57947 is a Server-Side Request Forgery (SSRF) vulnerability found in Pinpoint versions up to and including 3.1.0. It exists in the webhook registration endpoint, where authenticated users can register internal URLs due to missing SSRF protections.

When an alarm threshold is breached, the server sends POST requests to these registered internal URLs, including internal hosts and cloud metadata endpoints. This can lead to unauthorized access to internal network resources.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to gain unauthorized access to internal network resources and potentially expose sensitive internal user data, including personally identifiable information (PII).

Such exposure and unauthorized access could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal and health information.

By enabling internal network scanning, credential exfiltration, and lateral movement to trusted services, the vulnerability increases the risk of data breaches and non-compliance with these standards.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to access sensitive internal network resources by forcing the server to send POST requests to internal hosts and metadata endpoints.

• Unauthorized access to internal network resources.
• Potential exposure of sensitive internal user data, including personally identifiable information (PII).
• Internal network scanning by attackers.
• Credential exfiltration from cloud metadata services such as AWS IMDSv1 and GCP metadata.
• Lateral movement to trusted services within the internal network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and inspecting the webhook registration requests to the /api/webhook endpoint in Pinpoint 3.1.0. Since authenticated users can register internal URLs, checking for webhook URLs that point to internal network addresses, loopback addresses, or cloud metadata endpoints is key.

Network detection can involve capturing outgoing POST requests triggered by alarm threshold breaches to internal hosts or metadata endpoints.

• Use network traffic analysis tools (e.g., tcpdump or Wireshark) to filter HTTP POST requests from the Pinpoint server to internal IP ranges or known cloud metadata IPs.
• Example tcpdump command to capture POST requests to internal IPs (e.g., 10.0.0.0/8): tcpdump -i <interface> 'tcp and dst net 10.0.0.0/8 and tcp[((tcp[12] & 0xf0) >> 2):4] = 0x504f5354'
• Check the webhook registration logs or API request logs for suspicious webhook URLs that point to internal or cloud metadata endpoints.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the webhook registration feature until a patch is applied.

Ensure that only trusted and authorized users can register webhook URLs, and implement strict validation to block URLs pointing to internal network addresses, loopback addresses, or cloud metadata endpoints.

Monitor and audit webhook registrations and alarm-triggered POST requests to detect and block any attempts to exploit the SSRF vulnerability.

Apply any available patches or updates from the Pinpoint project that address this SSRF vulnerability.

Useful 0 Not Useful 0