Description
Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0.
Published: 2026-03-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Full-Read Server Side Request Forgery enabling attackers to read arbitrary internal URLs and cloud metadata
Action: Immediate Patch
AI Analysis

Impact

Ghostfolio’s manual asset import process lacks proper validation on user-supplied URLs, permitting a full‑read SSRF. An attacker can supply a crafted request that forces the server to fetch data from any internal or externally exposed endpoint, including instance metadata services that expose credentials and configuration. This flaw can lead to the exposure of highly sensitive information, compromising confidentiality and potentially enabling further lateral movement.

Affected Systems

All installations of Ghostfolio older than version 2.245.0 are vulnerable. The issue is confined to the open‑source product available under the ghostfolio:ghostfolio CNA.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity. The EPSS score is below 1%, suggesting a low current probability of exploitation, and the flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is the web UI used for manual asset import; an attacker must have access to the application but does not require elevated privileges. Exploitation would involve providing a malicious URL to the import functionality, resulting in data exfiltration if the target environment hosts services such as cloud metadata endpoints or internal APIs.

Generated by OpenCVE AI on April 16, 2026 at 11:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Ghostfolio to version 2.245.0 or later
  • If an upgrade is impossible, temporarily disable the manual asset import feature or restrict it to trusted users
  • Enforce network segmentation and firewall rules to block outbound connections from the Ghostfolio application to sensitive internal services

Generated by OpenCVE AI on April 16, 2026 at 11:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Ghostfol
Ghostfol ghostfolio
CPEs cpe:2.3:a:ghostfol:ghostfolio:*:*:*:*:*:*:*:*
Vendors & Products Ghostfol
Ghostfol ghostfolio

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ghostfolio
Ghostfolio ghostfolio
Vendors & Products Ghostfolio
Ghostfolio ghostfolio

Fri, 06 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0.
Title Ghostfolio: Full-Read SSRF in Manual Asset Import
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Ghostfol Ghostfolio
Ghostfolio Ghostfolio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:07:29.614Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28680

cve-icon Vulnrichment

Updated: 2026-03-06T16:00:15.772Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:37.343

Modified: 2026-03-10T19:53:22.550

Link: CVE-2026-28680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:45:26Z

Weaknesses