Description
Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.
Published: 2026-06-29
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pinpoint through version 3.1.0 contains a server‑side request forgery vulnerability in the webhook registration endpoint. Because the application does not validate the destinations of webhook URLs, an authenticated user can register an internal URI. When the alarm threshold is breached, the Pinpoint server automatically issues a POST request to that URI, allowing the attacker to read or modify internal resources, including sensitive metadata endpoints. This flaw can lead to unauthorized disclosure of internal information and potentially aid further attacks against the network.

Affected Systems

The defect affects the Pinpoint APM product, including the Pinpoint Booking System WordPress plugin. All deployments running Pinpoint up to and including version 3.1.0 are vulnerable. Specific affected versions are not listed in the advisory, so any installation of Pinpoint prior to a fix should be considered at risk.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate impact with the attack requiring authenticated access. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, the flaw permits an attacker who can register webhooks to force the Pinpoint server to contact internal hosts, potentially leaking data or enabling lateral movement. Successful exploitation would be limited to those internal services accessible from the Pinpoint server, and it does not directly allow arbitrary code execution.

Generated by OpenCVE AI on June 29, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pinpoint to the latest version that contains the SSRF fix.
  • If upgrading is not immediately possible, configure the application to validate webhook destinations against a whitelist, disallowing internal IP ranges and localhost references.
  • Restrict outbound connections from the Pinpoint server to internal networks using firewall rules or security groups to block unexpected POST traffic.
  • Monitor the server’s outbound POST activity for anomalies and alert on unexpected internal requests.

Generated by OpenCVE AI on June 29, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.
Title Pinpoint - Server-Side Request Forgery via Alarm Webhook Registration
First Time appeared Pinpoint
Pinpoint pinpoint Booking System
Weaknesses CWE-918
CPEs cpe:2.3:a:pinpoint:pinpoint_booking_system:*:*:*:*:*:wordpress:*:*
Vendors & Products Pinpoint
Pinpoint pinpoint Booking System
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Pinpoint Pinpoint Booking System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T19:41:08.876Z

Reserved: 2026-06-26T13:57:16.356Z

Link: CVE-2026-57947

cve-icon Vulnrichment

Updated: 2026-06-29T19:41:05.157Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T19:30:02Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)