CVE-2026-3270 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in PSI Probe, a popular open-source monitoring tool for Apache Tomcat servers. This vulnerability affects the lookup function within the file psi-probe-core/src/main/java/psiprobe/tools/Whois.java of the Whois component. By manipulating the Whois functionality, attackers can force the server to make unauthorized requests to internal or external resources, potentially exposing sensitive network infrastructure or facilitating further attacks.
Critical Impact
Remote attackers with low privileges can exploit this SSRF vulnerability to access internal network resources, bypass security controls, and potentially pivot to other systems within the infrastructure.
Affected Products
- PSI Probe versions up to and including 5.3.0
- psi-probe psi_probe (all versions through 5.3.0)
Discovery Timeline
- 2026-02-27 - CVE CVE-2026-3270 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-3270
Vulnerability Analysis
The vulnerability resides in PSI Probe's Whois functionality, specifically within the Whois.java file located at psi-probe-core/src/main/java/psiprobe/tools/Whois.java. The lookup function does not properly validate or sanitize user-supplied input before making network requests, allowing attackers to manipulate the destination of server-initiated requests.
SSRF vulnerabilities like this one enable attackers to abuse server functionality to access or interact with internal systems that would otherwise be unreachable from the external network. The attack can be initiated remotely by authenticated users with low privilege levels, making it accessible to a wide range of potential threat actors.
Root Cause
The root cause of this vulnerability is insufficient input validation in the Whois lookup function. The lookup function in Whois.java accepts user-controlled input to specify the target of Whois queries without properly restricting the destination to legitimate Whois servers. This allows attackers to redirect requests to arbitrary internal or external endpoints.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery), indicating that the application does not sufficiently verify the destination before making HTTP requests, allowing attackers to coerce the server into sending requests to unintended locations.
Attack Vector
The attack vector is network-based, allowing remote exploitation by authenticated users. An attacker can exploit this vulnerability through the following mechanism:
- The attacker authenticates to the PSI Probe management interface with low-level credentials
- The attacker crafts a malicious Whois lookup request with a specially crafted domain or IP address
- The PSI Probe server processes the request and initiates a connection to the attacker-specified destination
- The server returns the response to the attacker, potentially disclosing information about internal services
The vulnerability mechanism involves inadequate validation of the lookup target in the Whois component. When a user initiates a Whois query, the lookup function processes the request without verifying that the target is a legitimate Whois server, allowing attackers to redirect requests to arbitrary internal services or cloud metadata endpoints. For detailed technical analysis, refer to the GitHub Issue Discussion and VulDB entry.
Detection Methods for CVE-2026-3270
Indicators of Compromise
- Unusual outbound connections from the PSI Probe application server to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254) originating from the Tomcat server running PSI Probe
- Anomalous Whois lookup requests containing internal hostnames, IP addresses, or non-standard ports
- Log entries showing Whois queries to destinations other than known Whois servers
Detection Strategies
- Implement network monitoring to detect outbound connections from PSI Probe servers to internal network ranges or sensitive endpoints
- Configure web application firewall (WAF) rules to inspect and block suspicious patterns in Whois lookup requests
- Enable detailed logging for the PSI Probe application and monitor for unusual activity in the Whois component
- Deploy SentinelOne Singularity to detect anomalous network behavior and potential SSRF exploitation attempts
Monitoring Recommendations
- Monitor egress traffic from PSI Probe servers for connections to internal RFC1918 address ranges
- Set up alerts for any requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.)
- Review PSI Probe access logs regularly for unusual patterns in Whois functionality usage
- Implement network segmentation monitoring to detect lateral movement attempts following SSRF exploitation
How to Mitigate CVE-2026-3270
Immediate Actions Required
- Review and restrict access to the PSI Probe Whois functionality to only trusted administrators
- Implement network-level controls to prevent the PSI Probe server from making unauthorized outbound connections
- Apply the principle of least privilege to PSI Probe user accounts
- Consider disabling the Whois functionality if not required for operations
Patch Information
At the time of disclosure, the vendor (psi-probe) was contacted but did not respond to responsible disclosure attempts. No official patch is currently available. Organizations should monitor the PSI Probe project for future security updates and apply patches as soon as they become available.
For tracking this vulnerability, refer to:
Workarounds
- Disable or restrict access to the Whois component in PSI Probe until an official patch is released
- Implement an allowlist of permitted Whois servers at the network firewall level
- Deploy a reverse proxy in front of PSI Probe to filter and validate Whois requests
- Use network segmentation to isolate PSI Probe servers from sensitive internal resources
# Configuration example - Restrict outbound connections from Tomcat server
# Add iptables rules to limit outbound connections to approved Whois servers only
iptables -A OUTPUT -p tcp -d whois.iana.org --dport 43 -j ACCEPT
iptables -A OUTPUT -p tcp -d whois.icann.org --dport 43 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 43 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
