Description
ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs.
Published: 2026-04-23
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs. This weakness lets an attacker submit a crafted request that forces the server to perform arbitrary outbound HTTP requests to any target URL, potentially exposing internal resources or facilitating further attacks. The issue corresponds to the CWE‑777 category of insufficient input validation, as well as CWE‑94, which covers code execution vulnerabilities arising from unvalidated input.

Affected Systems

All ntfy installations older than version 2.22.0 are affected. The product is the open‑source notification server hosted at ntfy.sh and distributed through the ntfy project.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of < 1 % signals a low probability of real‑world exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation could involve sending a crafted request to the parseActions endpoint without requiring authentication; once triggered, the server will send arbitrary outbound HTTP requests, potentially reaching internal networks or enabling further attacks.

Generated by OpenCVE AI on July 9, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ntfy to version 2.22.0 or newer to apply the vendor patch
  • Restrict access to the parseActions endpoint via IP whitelisting or firewall rules so that only trusted hosts can reach it
  • Monitor server logs for unexpected action requests and investigate anomalies that may indicate exploitation attempts

Generated by OpenCVE AI on July 9, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pqhx-w72w-m393 ntfy.sh allows a remote attacker to execute arbitrary code via the parseActions function
History

Thu, 09 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Title SSRF via Unanchored Regular Expression in ntfy before v2.22.0

Thu, 09 Jul 2026 03:45:00 +0000

Type Values Removed Values Added
Title Server‑Side Request Forgery via Unanchored URL Validation in ntfy

Tue, 07 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
Title Server‑Side Request Forgery via Unanchored URL Validation in ntfy

Mon, 06 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
Title SSRF Vulnerability in ntfy Web Push Endpoint Parsing

Mon, 06 Jul 2026 04:15:00 +0000

Type Values Removed Values Added
Title SSRF Vulnerability in ntfy Web Push Endpoint Parsing

Sat, 04 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description ntfy before 2.22.0 allows SSRF because of an unanchored regular expression. ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs.
Weaknesses CWE-777
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Mon, 04 May 2026 07:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Action Parsing in Ntfy ntfy.sh

Mon, 04 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function ntfy before 2.22.0 allows SSRF because of an unanchored regular expression.
References

Tue, 28 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Action Parsing in Ntfy ntfy.sh

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ntfy
Ntfy ntfy.sh
Vendors & Products Ntfy
Ntfy ntfy.sh

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-05T16:16:27.697Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39087

cve-icon Vulnrichment

Updated: 2026-04-23T18:58:08.343Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-23T16:16:25.063

Modified: 2026-06-17T10:41:50.797

Link: CVE-2026-39087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T15:30:05Z

Weaknesses
  • CWE-777

    Regular Expression without Anchors

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')