Skip to content
Verified reproduction

CVE-2026-57947: Pinpoint through 3.1.0 allows authenticated users to register internal webhook URLs, leading to SSRF when alarm webhooks are delivered.

CVE-2026-57947 is verified against pinpoint-apm/pinpoint · maven affected versions: <= 3.1.0 (affected from 0 through 3.1.0) fixed version: Not specified in advisory; GitHub issue milestone 3.1.1; no fixed commit identified vulnerability class: SSRF This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00253.

REPRO-2026-00253 pinpoint-apm/pinpoint · maven SSRF Variant found Jul 6, 2026 .txt
Severity MEDIUM
Confidence HIGH
Reproduced in 59m 13s
Tool calls 338
Spend $7.79
Affected <= 3.1.0 (affected from 0 through 3.1.0)
Fixed in Not specified in advisory; GitHub issue milestone 3.1.1; no fixed commit identified
$ pruva-verify REPRO-2026-00253
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00253/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Pinpoint through 3.1.0 allows authenticated users to register webhook URLs that resolve to internal hosts or metadata endpoints. The webhook registration endpoint performs only syntactic URL validation and does not block private/loopback/link-local ranges. When an alarm fires, the server issues an outbound HTTP POST to each registered URL, enabling SSRF to internal resources and potential data exposure.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.