Description
Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.
Published: 2026-06-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an incorrect access control bug in the webhook management component of Project Firefly III version 6.5.9. A crafted POST request can bypass authentication and allow an attacker to scan internal resources, potentially exposing sensitive data. This flaw is identified as CWE-284 and results in data disclosure and possible extension to further exploitation.

Affected Systems

Installations running Project Firefly III v6.5.9 are affected. No other vendor or product identifiers are listed; the issue resides in the open‑source code package shipped with that release.

Risk and Exploitability

A CVSS score of 9.1 signals critical severity, while an EPSS score of less than 1% shows a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to reach the web application over the network to send the malicious POST request, making the exploit straightforward for anyone with such access.

Generated by OpenCVE AI on June 18, 2026 at 01:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Project Firefly III to a version where the webhook access control has been fixed.
  • If an upgrade is not possible immediately, limit the webhook management endpoint to trusted IP ranges or require additional authentication such as HTTP basic auth.
  • Audit existing webhooks for sensitive data exposure and remove any that are no longer needed.

Generated by OpenCVE AI on June 18, 2026 at 01:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Firefly
Firefly project Firefly Iii
Vendors & Products Firefly
Firefly project Firefly Iii

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Webhook Access Enables Resource Enumeration in Project Firefly III v6.5.9

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Webhook Access Enables Resource Enumeration in Project Firefly III v6.5.9

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.
References

Subscriptions

Firefly Project Firefly Iii
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T14:49:05.213Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50886

cve-icon Vulnrichment

Updated: 2026-06-16T14:45:00.477Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:31.580

Modified: 2026-06-16T15:50:58.757

Link: CVE-2026-50886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:11Z

Weaknesses