CVE-2026-30118 Overview
CVE-2026-30118 is a Server-Side Request Forgery (SSRF) vulnerability in scalar/astro version 0.1.13. The flaw resides in the scalar_url query parameter of the Scalar Proxy endpoint. Unauthenticated attackers can force the backend server to issue arbitrary HTTP requests to attacker-controlled URLs. Successful exploitation exposes authentication cookies and headers, and can enable account takeover and privilege escalation. The vulnerability is classified under CWE-918: Server-Side Request Forgery.
Critical Impact
Unauthenticated attackers can coerce the Scalar Proxy backend into sending HTTP requests with sensitive credentials to attacker-controlled hosts, enabling zero-click account takeover.
Affected Products
- scalar/astro version 0.1.13
- Applications embedding the Scalar Proxy endpoint with the vulnerable scalar_url handler
- Deployments exposing the Scalar Proxy to untrusted network clients
Discovery Timeline
- 2026-05-19 - CVE-2026-30118 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-30118
Vulnerability Analysis
The Scalar Proxy endpoint accepts a scalar_url query parameter and uses its value as the destination for a server-side HTTP request. The handler does not validate the supplied URL against an allowlist, nor does it block requests to internal address ranges or non-HTTP schemes. As a result, an attacker who can reach the proxy endpoint controls the outbound destination entirely.
When the backend issues the proxied request, it forwards authentication cookies and headers that belong to the proxy session or to upstream services it can reach. An attacker hosting a logging endpoint captures these credentials directly from the inbound request. The captured material can be replayed against the application to impersonate users or escalate privileges.
Because exploitation requires no authentication and no user interaction, the issue qualifies as a zero-click account takeover primitive. The proxy can also be redirected at metadata services or internal management interfaces, expanding the impact beyond credential theft to internal network reconnaissance.
Root Cause
The root cause is missing validation of the scalar_url parameter before it is used as the target of a server-issued HTTP request. The handler trusts client-supplied input to determine outbound network destinations.
Attack Vector
The attack is delivered over the network against the public Scalar Proxy endpoint. The attacker sends a request that sets scalar_url to a controlled host, then collects the incoming request on that host to extract cookies and headers. Further details and a proof of concept are available in the GitHub PoC Repository.
No verified exploit code is reproduced here. The referenced PoC repository documents the request shape and the captured credential material.
Detection Methods for CVE-2026-30118
Indicators of Compromise
- Outbound HTTP requests from the Scalar Proxy host to external domains that do not match the application's normal upstream targets
- Requests to the Scalar Proxy endpoint containing a scalar_url parameter pointing to external IP addresses, cloud metadata endpoints, or internal RFC1918 ranges
- Unexpected presence of Cookie or Authorization headers in egress traffic from the proxy host
Detection Strategies
- Inspect web server access logs for requests to the Scalar Proxy endpoint and flag scalar_url values pointing to non-allowlisted destinations
- Correlate proxy egress traffic with the originating client request to detect arbitrary URL fetching
- Alert on outbound requests from the proxy to 169.254.169.254, link-local addresses, or internal subnets
Monitoring Recommendations
- Forward web access logs and egress NetFlow from the proxy host into a centralized analytics platform for correlation
- Baseline the legitimate set of upstream hosts contacted by the proxy and alert on deviations
- Monitor for repeated requests to the proxy endpoint from a single source enumerating different scalar_url targets
How to Mitigate CVE-2026-30118
Immediate Actions Required
- Restrict network access to the Scalar Proxy endpoint until a fixed release is deployed
- Rotate any authentication cookies, session tokens, and API keys that the proxy host had access to
- Block outbound traffic from the proxy host to internal management ranges and cloud metadata services at the network layer
Patch Information
At the time of publication, no fixed version is listed in the NVD record for scalar/astro. Monitor the upstream project for a release that supersedes 0.1.13 and review the GitHub PoC Repository for vendor response updates.
Workarounds
- Place the Scalar Proxy behind an authenticated reverse proxy that strips the scalar_url parameter for untrusted clients
- Enforce an allowlist at the network egress layer so the proxy host can only reach approved upstream domains
- Drop or redact Cookie and Authorization headers on outbound requests originating from the proxy process
# Configuration example: egress allowlist using iptables on the proxy host
iptables -A OUTPUT -p tcp -d trusted-upstream.example.com --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d 169.254.169.254 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
