CVE-2026-57947: Pinpoint through 3.1.0 allows authenticated users to register internal webhook URLs, leading to SSRF when alarm webhooks are delivered.
CVE-2026-57947 is verified against pinpoint-apm/pinpoint · maven affected versions: <= 3.1.0 (affected from 0 through 3.1.0) fixed version: Not specified in advisory; GitHub issue milestone 3.1.1; no fixed commit identified vulnerability class: SSRF This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00253.
pruva-verify REPRO-2026-00253 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00253/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Pinpoint through 3.1.0 allows authenticated users to register webhook URLs that resolve to internal hosts or metadata endpoints. The webhook registration endpoint performs only syntactic URL validation and does not block private/loopback/link-local ranges. When an alarm fires, the server issues an outbound HTTP POST to each registered URL, enabling SSRF to internal resources and potential data exposure.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.