CVE-2026-25123 - Vulnerability Details

- Homarr affected by Unauthenticated SSRF / Port-Scan Primitive via widget.app.ping

Description

Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behavior and a reliable port-scanning primitive (open vs closed ports can be inferred from statusCode vs fetch failed and timing). This vulnerability is fixed in 1.52.0.

Published: 2026-02-06

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Homarr dashboard allowed any unauthenticated user to query the widget.app.ping tRPC endpoint with an arbitrary URL. The server then performed an outbound HTTP request to that URL, providing the attacker with the ability to direct all outbound traffic from the Homarr instance. This results in SSRF, enabling the attacker to reach internal or restricted resources, and a reliable port‑scanning primitive through response status codes and fetch failures. The vulnerability could lead to information disclosure, network reconnaissance, or further exploitation of reachable services, with limited privileges confined to the host running Homarr.

Affected Systems

This issue impacts Homarr dashboards running any version before 1.52.0. All installations of homarr-labs:homarr that have not been upgraded to at least 1.52.0 are susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is reported as <1%, suggesting a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can reach the widget.app.ping endpoint without authentication, likely exposing it through a public network or internal network where the Homarr instance is reachable. Once accessed, the attacker supplies a crafted URL, triggering an outbound request from the server. The method of discerning open or closed ports via status code or timing implies that the attack can be performed programmatically for reconnaissance or other malicious objectives.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

homarr-labs

homarr

affected

Version	Status	Constraints
`< 1.52.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Homarr-labs	Homarr	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Homarr to version 1.52.0 or later to remove the vulnerable endpoint.
Configure the host firewall or security group to restrict outbound HTTP/HTTPS traffic from the Homarr server, limiting potential SSRF reach.
If an upgrade is not immediately possible, disable the widget.app.ping endpoint or apply an application‑level rule to block external HTTP requests from this route.

Generated by OpenCVE AI on April 17, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00019.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/homarr-labs/homarr/security/advisories/GHSA-c6rh-8wj4-gv74

History

Wed, 18 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Homarr Homarr homarr
CPEs		cpe:2.3:a:homarr:homarr::::::::
Vendors & Products		Homarr Homarr homarr

Mon, 09 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Homarr-labs Homarr-labs homarr
Vendors & Products		Homarr-labs Homarr-labs homarr

Fri, 06 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behavior and a reliable port-scanning primitive (open vs closed ports can be inferred from statusCode vs fetch failed and timing). This vulnerability is fixed in 1.52.0.
Title		Homarr affected by Unauthenticated SSRF / Port-Scan Primitive via widget.app.ping
Weaknesses		CWE-918
References		https://github.com/homarr-labs/homarr/security/advisories/GHSA-c6rh-8wj4-gv74
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Homarr Homarr

Homarr-labs Homarr

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-06T21:19:40.212Z

Updated: 2026-02-09T15:27:03.275Z

Reserved: 2026-01-29T14:03:42.539Z

Link: CVE-2026-25123

Vulnrichment

Updated: 2026-02-09T15:21:56.929Z

NVD

Status : Analyzed

Published: 2026-02-06T22:16:11.153

Modified: 2026-02-18T18:08:19.073

Link: CVE-2026-25123

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object