Description
Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows a remote attacker to force the Homarr server to perform arbitrary outbound HTTP requests. This can be used as an internal network access primitive (e.g., reaching loopback/private ranges) from the Homarr host/container network context. This issue has been patched in version 1.54.0.
Published: 2026-03-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

An unauthenticated Server‑Side Request Forgery (SSRF) flaw was discovered in Homarr’s rssFeed.ts module. The vulnerability allows an attacker to supply arbitrary URLs to the Homarr server, which then performs outbound HTTP or HTTPS requests from the host or container. This can serve as a gateway to internal network resources such as loopback or private IP ranges, potentially exposing sensitive services. The weakness is classified as CWE‑918, indicating improper validation of user‑supplied URLs.

Affected Systems

The flaw affects the open‑source Homarr dashboard from homarr‑labs, with all releases prior to version 1.54.0 vulnerable. Users running any earlier version of Homarr on a publicly reachable host or container are at risk.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate impact with an unauthenticated attack vector and network access. The EPSS score of less than 1 % indicates a low probability of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to send a crafted request to the rssFeed endpoint, which requires no authentication, and therefore can be performed from any external network that can reach the Homarr instance. If successful, the extent of damage is limited to the reachability of outbound network resources from the Homarr host.

Generated by OpenCVE AI on April 16, 2026 at 10:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Homarr to version 1.54.0 or later, where the SSRF flaw is patched.
  • If an upgrade is not immediately possible, restrict the Homarr container’s outbound traffic using firewall rules or network segmentation so that only allowed destinations can be reached.
  • As a temporary workaround, disable or protect the rssFeed endpoint by removing the route, requiring authentication, or blocking the URL parameter in the request before it reaches the server.

Generated by OpenCVE AI on April 16, 2026 at 10:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Homarr
Homarr homarr
CPEs cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*
Vendors & Products Homarr
Homarr homarr

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Homarr-labs
Homarr-labs homarr
Vendors & Products Homarr-labs
Homarr-labs homarr

Sat, 07 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description Homarr is an open-source dashboard. Prior to version 1.54.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows a remote attacker to force the Homarr server to perform arbitrary outbound HTTP requests. This can be used as an internal network access primitive (e.g., reaching loopback/private ranges) from the Homarr host/container network context. This issue has been patched in version 1.54.0.
Title Homarr: Unauthenticated SSRF in rssFeed.ts
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Homarr Homarr
Homarr-labs Homarr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:44:25.842Z

Reserved: 2026-02-24T02:31:33.266Z

Link: CVE-2026-27797

cve-icon Vulnrichment

Updated: 2026-03-09T20:41:59.275Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T06:16:09.843

Modified: 2026-03-10T16:24:46.050

Link: CVE-2026-27797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses