CVE-2026-28680 Overview
CVE-2026-28680 is a Server-Side Request Forgery (SSRF) vulnerability in Ghostfolio, an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services.
Critical Impact
This SSRF vulnerability enables unauthenticated attackers to access cloud instance metadata services and internal network resources, potentially leading to credential theft and lateral movement within cloud environments.
Affected Products
- Ghostfolio versions prior to 2.245.0
Discovery Timeline
- 2026-03-06 - CVE-2026-28680 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-28680
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery), a critical web application security flaw. The SSRF vulnerability resides in Ghostfolio's manual asset import feature, which fails to properly validate and restrict user-supplied URLs before making server-side HTTP requests.
When a user imports assets manually, the application accepts a URL parameter that is processed on the server side without adequate input validation. This allows an attacker to craft malicious requests that force the server to make HTTP requests to arbitrary destinations, including internal network addresses, localhost services, and cloud metadata endpoints.
The impact is particularly severe in cloud-hosted deployments where attackers can access Instance Metadata Services (IMDS) endpoints such as http://169.254.169.254/ to retrieve sensitive information including temporary security credentials, IAM role tokens, and instance configuration data.
Root Cause
The root cause of this vulnerability is insufficient URL validation in the manual asset import functionality. The application does not implement proper restrictions on:
- Private IP address ranges (RFC 1918)
- Localhost and loopback addresses
- Link-local addresses including cloud metadata endpoints
- URL protocol schemes (allowing HTTP/HTTPS to internal services)
Without these safeguards, the server can be weaponized as a proxy to access resources that should not be reachable from external networks.
Attack Vector
The attack vector is network-based and does not require authentication. An attacker can exploit this vulnerability by:
- Accessing the manual asset import functionality in Ghostfolio
- Submitting a crafted URL pointing to an internal resource or cloud metadata service
- The server processes the request and returns the response content to the attacker
- Sensitive data such as cloud credentials, internal service responses, or network topology information is exfiltrated
For cloud deployments on AWS, GCP, or Azure, attackers typically target the IMDS endpoints to retrieve temporary IAM credentials, which can then be used for further compromise of cloud resources.
Detection Methods for CVE-2026-28680
Indicators of Compromise
- Unusual outbound HTTP requests from the Ghostfolio server to internal IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
- Access attempts to cloud metadata endpoints (169.254.169.254, 169.254.170.2)
- Web application logs showing requests to the asset import endpoint with suspicious URL parameters
- Unexpected network traffic patterns from the application server to localhost or internal services
Detection Strategies
- Monitor application logs for asset import requests containing private IP addresses or metadata service URLs
- Implement network-level detection for outbound requests from web application servers to internal IP ranges
- Deploy web application firewalls (WAF) with SSRF detection rules to block malicious URL patterns
- Enable cloud provider IMDS logging (e.g., IMDSv2 on AWS) to detect unauthorized metadata access attempts
Monitoring Recommendations
- Configure alerting for any requests from Ghostfolio servers to RFC 1918 private address ranges
- Set up cloud security monitoring to detect IMDS access from unexpected sources
- Review Ghostfolio application logs regularly for unusual asset import activity
- Monitor DNS queries from the application server for resolution of internal hostnames
How to Mitigate CVE-2026-28680
Immediate Actions Required
- Upgrade Ghostfolio to version 2.245.0 or later immediately
- If immediate upgrade is not possible, disable or restrict access to the manual asset import feature
- Implement network segmentation to limit the Ghostfolio server's ability to reach internal services
- Enable IMDSv2 on AWS instances to require session tokens for metadata access
Patch Information
The vulnerability has been patched in Ghostfolio version 2.245.0. The fix implements proper URL validation and restricts requests to internal network addresses and cloud metadata endpoints. For detailed information about the patch, refer to the GitHub Release 2.245.0 and the GitHub Security Advisory GHSA-hhv6-c34h-pwgh.
Workarounds
- Deploy a reverse proxy or WAF in front of Ghostfolio to filter requests containing internal IP addresses in the asset import endpoint
- Use network policies or firewall rules to block outbound connections from the Ghostfolio server to internal IP ranges and metadata endpoints
- If running in a cloud environment, enforce IMDSv2 which requires session-based authentication for metadata requests
- Restrict access to the manual asset import feature to trusted users only through application-level access controls
# Example: Block metadata endpoint access using iptables
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 169.254.170.2 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
