CVE-2026-59101
Received Received - Intake

SSRF Vulnerability in AutoBangumi Before 3.2.8

Vulnerability report for CVE-2026-59101, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

AutoBangumi before 3.2.8 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated remote attackers to probe internal network services by supplying arbitrary host values to an unprotected setup endpoint. Attackers can send requests to the POST /api/v1/setup/test-downloader endpoint during the initial setup window, causing the server to issue HTTP GET requests to internal or reserved addresses and leak information through echoed connection-error messages.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
estrellaxd auto_bangumi to 3.2.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by attempting to send POST requests to the /api/v1/setup/test-downloader endpoint during the initial setup window of AutoBangumi versions before 3.2.8. By supplying arbitrary host values in these requests, you can observe if the server issues HTTP GET requests to internal or reserved IP addresses and returns connection-error messages that leak information.

A practical detection method involves using tools like curl or similar HTTP clients to send crafted POST requests to the vulnerable endpoint and analyzing the responses for leaked internal network information.

  • Example curl command to test the vulnerability: curl -X POST http://<target-host>/api/v1/setup/test-downloader -d '{"host":"http://internal-ip-or-host"}' -H 'Content-Type: application/json'
  • Monitor server responses for connection-error messages that indicate the server attempted to connect to the supplied internal host.
Executive Summary

CVE-2026-59101 is a Server-Side Request Forgery (SSRF) vulnerability found in AutoBangumi versions before 3.2.8. It allows unauthenticated remote attackers to send arbitrary host values to an unprotected setup endpoint, specifically the POST /api/v1/setup/test-downloader endpoint during the initial setup phase.

When exploited, the server issues HTTP GET requests to internal or reserved IP addresses based on the attacker-supplied host values. The server then leaks information through connection-error messages that are echoed back in the response, enabling attackers to probe internal network services.

Impact Analysis

This vulnerability can impact you by allowing attackers to probe and gather information about your internal network services without authentication. By exploiting the SSRF flaw, attackers can potentially discover internal IP addresses and services that are not meant to be publicly accessible.

Such information leakage can be a stepping stone for further attacks, including unauthorized access or exploitation of internal systems, increasing the risk to your network's security.

Mitigation Strategies

The immediate mitigation step is to upgrade AutoBangumi to version 3.2.8 or later, where this SSRF vulnerability has been fixed.

Until the upgrade can be applied, restrict access to the /api/v1/setup/test-downloader endpoint, especially during the initial setup phase, to trusted networks or authenticated users only.

Additionally, monitor and block suspicious POST requests targeting this endpoint that contain arbitrary host values to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59101. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart