CVE-2026-47684 Overview
CVE-2026-47684 is a Server-Side Request Forgery (SSRF) vulnerability in Sync-in Server, an open-source platform for file storage, sharing, collaboration, and syncing. The flaw exists in the URL download feature, where the private IP blocklist regex fails to match IPv4-mapped IPv6 addresses such as ::ffff:127.0.0.1. On dual-stack systems, attackers can bypass SSRF protections to reach internal network resources. The issue affects all versions prior to 2.3.0 and is tracked under [CWE-918].
Critical Impact
Authenticated attackers can bypass SSRF filters on dual-stack Sync-in deployments and force the server to issue requests to internal services, cloud metadata endpoints, and other restricted destinations.
Affected Products
- Sync-in Server versions prior to 2.3.0
- Deployments running on dual-stack (IPv4 + IPv6) hosts
- Instances exposing the URL download feature to authenticated users
Discovery Timeline
- 2026-06-16 - CVE-2026-47684 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-47684
Vulnerability Analysis
The vulnerability resides in the URL download feature of Sync-in Server. This feature allows authenticated users to instruct the server to fetch a remote URL and store the response. To prevent SSRF, Sync-in applies a regex-based blocklist that rejects requests targeting private IPv4 ranges such as 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
The regex evaluates the host as an IPv4 literal. It does not normalize or canonicalize IPv6 representations of the same addresses. An attacker can supply an IPv4-mapped IPv6 address such as ::ffff:127.0.0.1 or ::ffff:169.254.169.254. The blocklist does not match these forms, so the request passes validation and is dispatched by the HTTP client.
On dual-stack hosts, the operating system resolves the mapped address back to the underlying IPv4 destination. The server consequently issues requests to localhost services, internal subnets, or cloud metadata endpoints that should be unreachable.
Root Cause
The root cause is incomplete input validation. The blocklist treats the URL host as a string and matches IPv4 dotted-quad patterns. It does not parse the host into a structured address object, does not expand IPv6 representations, and does not check whether an IPv6 literal embeds an IPv4 address in its lower 32 bits.
Attack Vector
Exploitation requires low-privilege authenticated access to a Sync-in instance that exposes the URL download feature. The attacker submits a download request with a URL whose host is an IPv4-mapped IPv6 literal pointing at an internal target. The server fetches the resource and may return its contents or side-effects to the attacker.
The vulnerability manifests in the URL validation routine described in the GitHub Security Advisory GHSA-q4x5-8cj6-52wg. Refer to that advisory and the v2.3.0 release notes for the corrected validation logic.
Detection Methods for CVE-2026-47684
Indicators of Compromise
- Outbound HTTP requests from the Sync-in Server process to loopback or link-local addresses such as 127.0.0.1, 169.254.169.254, or RFC 1918 ranges
- URL download submissions where the host component contains ::ffff: followed by an IPv4 dotted-quad
- Application logs showing successful URL download operations targeting IPv6 literals containing IPv4-mapped notation
- Unexpected access patterns to internal services or cloud instance metadata endpoints originating from the Sync-in host
Detection Strategies
- Inspect Sync-in application logs for URL download requests whose url parameter contains ::ffff:, 0:0:0:0:0:ffff:, or other IPv6 forms embedding IPv4 addresses
- Deploy egress network monitoring on the Sync-in host and alert when the process initiates connections to private, loopback, or metadata IP ranges
- Correlate authenticated user sessions with outbound requests to non-public destinations to identify abuse of the URL download feature
Monitoring Recommendations
- Enable verbose request logging in Sync-in and forward logs to a centralized analytics or SIEM platform for parsing of IPv6 literal hosts
- Apply host-based firewall rules that block outbound traffic from the Sync-in process to internal ranges and metadata services, then alert on rule hits
- Track version inventory across Sync-in deployments and flag any instance running a release earlier than 2.3.0
How to Mitigate CVE-2026-47684
Immediate Actions Required
- Upgrade Sync-in Server to version 2.3.0 or later, which corrects the private IP blocklist to handle IPv4-mapped IPv6 addresses
- Audit recent URL download activity for requests containing IPv6 literals that resolve to private or loopback addresses
- Restrict access to the URL download feature to trusted user roles where feasible until upgrades are complete
Patch Information
The fix is included in the Sync-in Server v2.3.0 release. Details on the corrected validation are available in the GitHub Security Advisory GHSA-q4x5-8cj6-52wg. Operators should pull the updated container image or source release and redeploy.
Workarounds
- Disable IPv6 on the Sync-in host or run it on an IPv4-only network namespace until the patch is applied
- Place the Sync-in server behind an egress proxy that enforces an allowlist of permitted external destinations and rejects IPv6 literals
- Use host firewall rules (iptables, nftables, or cloud security groups) to deny outbound traffic from the Sync-in process to loopback, link-local, and RFC 1918 ranges
# Example nftables egress restriction for the Sync-in host
nft add table inet syncin_egress
nft add chain inet syncin_egress output { type filter hook output priority 0 \; }
nft add rule inet syncin_egress output ip daddr { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } drop
nft add rule inet syncin_egress output ip6 daddr ::ffff:0:0/96 drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

