Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-30834

PinchTab has SSRF with Full Response Exfiltration via Download Handler
Back to all
CVE

CVE-2026-30834

PinchTab has SSRF with Full Response Exfiltration via Download Handler

SSRF with Full Response Exfiltration via Download Handler

Summary

A Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content.

Details

The GET /download?url=<url> handler in download.go accepts a user-controlled url parameter and passes it directly to chromedp.Navigate(dlURL) without any validation or sanitization.

// internal/handlers/download.go:78
if err := chromedp.Run(ctx, chromedp.Navigate(dlURL)); err != nil {
    return fmt.Errorf("navigate to %s: %w", dlURL, err)
}

Since the request is performed by the headless Chrome browser instance managed by PinchTab, it can access:

  1.  Local Files: Using the file:// scheme (e.g., file:///etc/passwd).
  2.  Internal Services: Accessing services bound to localhost or internal network IPs that are not reachable from the outside.
  3.  Cloud Metadata: Accessing cloud provider metadata endpoints (e.g., 169.254.169.254).

The server then returns the captured response body directly to the attacker, enabling full exfiltration of sensitive data.

PoC

To reproduce the vulnerability, ensure the PinchTab server is running and accessible.

  1.  Local File Read:

    Execute the following curl command to read /etc/passwd:

    ```bash

    curl -X GET "http://localhost:9867/download?url=file:///etc/passwd"

    ```

  1.  Internal Service Access:

    If a service is running on localhost:8080, access it via:

    ```bash

    curl -X GET "http://localhost:9867/download?url=http://localhost:8080/internal-admin"

    ```

The response will contain the content of the targeted file or service.

PoC video:

https://github.com/user-attachments/assets/b15776ea-13cc-4534-ba7b-6d5c4e0ee74f

Impact

This is a high-severity SSRF vulnerability. It impacts the confidentiality and security of the host system and the internal network where PinchTab is deployed. Attackers can exfiltrate sensitive system files, probe internal network infrastructure, and potentially gain access to internal management interfaces or cloud credentials. While PinchTab is often used in local environments, any deployment where the API is exposed (even with authentication) allows a compromised or malicious client to pivot into the internal network.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
C
H
U
-

Related Resources

No items found.

References

https://github.com/pinchtab/pinchtab/security/advisories/GHSA-rw8p-c6hf-q3pg, https://nvd.nist.gov/vuln/detail/CVE-2026-30834, https://github.com/pinchtab/pinchtab

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00021%
EPSS Percentile
0.05945%
Introduced Version
0
Fix Available
0.7.7

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading