CVE-2026-28508: Idno Vulnerable to Unauthenticated SSRF via URL Unfurl Endpoint

March 2, 2026 (updated March 6, 2026)

A logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content.

References

github.com/advisories/GHSA-fcrh-fqxh-6fx6
github.com/idno/idno
github.com/idno/idno/releases/tag/1.6.4
github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6
nvd.nist.gov/vuln/detail/CVE-2026-28508

Code Behaviors & Features

Detect and mitigate CVE-2026-28508 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →