Description
Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.
Published: 2026-03-06
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Server Side Request Forgery (SSRF) that can expose internal resources
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a logic flaw in Idno’s authentication flow that bypasses CSRF protection on a publicly accessible URL unfurl endpoint. Because the endpoint does not require login, any unauthenticated user can send a request to cause the server to fetch arbitrary URLs. The server then returns the retrieved content, allowing attackers to probe internal hosts, services, or cloud instance metadata. This is a classic Server Side Request Forgery flaw, classified as CWE‑918, and can lead to data exposure or internal reconnaissance.

Affected Systems

Installations of the Idno social publishing platform running a version older than 1.6.4 are affected. The advisory indicates that any unpatched release before the 1.6.4 update is vulnerable, regardless of deployment size or environment.

Risk and Exploitability

The CVSS score of 9.2 signals a high severity, but the EPSS score of less than 1% indicates that exploitation is unlikely in the wild. The issue is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been observed. An attacker can trigger the SSRF simply by making an HTTP request to the unfurl endpoint without authentication; no additional conditions are required. However, because the flaw allows outbound requests to any URL reachable from the server, the potential impact is significant, especially if the server can reach sensitive internal services or cloud metadata endpoints.

Generated by OpenCVE AI on April 16, 2026 at 11:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Idno to version 1.6.4 or later, which removes the authentication bypass and enforces authentication on the unfurl endpoint.
  • If an upgrade cannot be applied immediately, restrict access to the unfurl endpoint with firewall rules or network segmentation so that only trusted hosts can reach it.
  • Enable logging or network monitoring to detect unexpected outbound HTTP requests from the Idno server and configure alerts for potential SSRF activity.

Generated by OpenCVE AI on April 16, 2026 at 11:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fcrh-fqxh-6fx6 Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint
History

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Withknown
Withknown known
CPEs cpe:2.3:a:withknown:known:*:*:*:*:*:*:*:*
Vendors & Products Withknown
Withknown known
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Idno
Idno idno
Vendors & Products Idno
Idno idno

Fri, 06 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.
Title Idno: Unauthenticated SSRF via URL Unfurl Endpoint
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Idno Idno
Withknown Known
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:07:56.001Z

Reserved: 2026-02-27T20:57:47.709Z

Link: CVE-2026-28508

cve-icon Vulnrichment

Updated: 2026-03-06T16:00:21.792Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:35.233

Modified: 2026-03-16T14:03:38.950

Link: CVE-2026-28508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses