Description
ntfy before 2.22.0 allows SSRF because of an unanchored regular expression.
Published: 2026-04-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unanchored regular expression in the action parsing routine of ntfy allows a remote attacker to cause the server to issue arbitrary HTTP requests to any URL. This Server‑Side Request Forgery (SSRF) flaw, categorized as a Code Injection weakness (CWE‑94), can expose internal services, credentials, or sensitive data that are otherwise inaccessible from the outside. The flaw does not require authentication and can be triggered by any client that can reach the parseActions endpoint.

Affected Systems

All ntfy ntfy.sh installations older than version 2.22.0 are affected. The product is a standalone notification server; no vendor is specified beyond the ntfy project itself.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical impact, while the EPSS score of < 1 % shows a low probability of real‑world exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation is feasible remotely by sending a crafted request to the parseActions endpoint, with no prerequisite authentication. Once triggered, the server will perform arbitrary outbound HTTP requests, potentially accessing internal resources or facilitating further attacks.

Generated by OpenCVE AI on May 4, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ntfy ntfy.sh to version 2.22.0 or later to apply the vendor fix
  • If immediate upgrade is impossible, block or IP‑whitelist access to the parseActions endpoint so only trusted hosts can reach it
  • Monitor logs for unexpected action requests and investigate any anomalies that may indicate exploitation attempts

Generated by OpenCVE AI on May 4, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pqhx-w72w-m393 ntfy.sh allows a remote attacker to execute arbitrary code via the parseActions function
History

Mon, 04 May 2026 07:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Action Parsing in Ntfy ntfy.sh

Mon, 04 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function ntfy before 2.22.0 allows SSRF because of an unanchored regular expression.
References

Tue, 28 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Action Parsing in Ntfy ntfy.sh

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ntfy
Ntfy ntfy.sh
Vendors & Products Ntfy
Ntfy ntfy.sh

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function
References

Subscriptions

Ntfy Ntfy.sh
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T05:20:27.872Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39087

cve-icon Vulnrichment

Updated: 2026-04-23T18:58:08.343Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-23T16:16:25.063

Modified: 2026-05-04T06:16:00.913

Link: CVE-2026-39087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T07:00:09Z

Weaknesses