CVE-2026-48053

MEDIUMPre-NVD 5.85.8
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.8 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 85% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
5.8
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 5.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset

Summary

Several Kolibri API endpoints accept an unvalidated baseurl parameter and fetch attacker-controlled URLs from the Kolibri server, reflecting the response body back to the caller. The original report identified two endpoints on the RemoteFacilityUser* viewsets; remediation review found two further reflection points on the same pattern. The GET endpoint was unauthenticated.

Affected endpoints

Reported:

  • GET /api/auth/remotefacilityuserRemoteFacilityUserViewset (kolibri/core/auth/api.py:1570). No authentication required.
  • POST /api/auth/remotefacilityauthenticateduserinfoRemoteFacilityUserAuthenticatedViewset (kolibri/core/auth/api.py:1594). Authentication is checked against the *remote* server rather than the local Kolibri.

Found during remediation:

  • POST /api/public/setupwizard/loddata → setup wizard's remote-signup proxy (kolibri/plugins/setup_wizard/api.py). Reachable on unprovisioned devices.
  • GET /api/public/networklocation//facilities/NetworkLocationFacilitiesView (kolibri/core/discovery/api.py). Authenticated but with the same Response(remote_payload) pattern.

Root cause

Two compounding issues:

  • Response reflection — these endpoints returned the remote server's JSON body more or less verbatim to the caller (Response(response.json()), Response(facility_info["users"]), etc.).
  • No restriction on the remote targetbaseurl was validated only by URLValidator(schemes=["http", "https"]). NetworkClient.build_for_address() would connect to any host with a valid Kolibri-shaped /api/public/info/ response, and requests followed 30x redirects by default, so a hostile peer could pivot the fetch to an arbitrary host (cloud metadata, internal services) before reflection.

Two reflection vectors

GET vector (RemoteFacilityUserViewset): The viewset fetched /api/public/facilitysearchuser/ and returned Response(response.json()). An attacker-controlled baseurl returned a 302 to an arbitrary internal URL; requests followed the redirect, and the redirected response body was returned to the attacker.

POST vector (RemoteFacilityUserAuthenticatedViewset): get_remote_users_info() fetched /api/public/facilityuser/ with Basic Auth and the viewset returned Response(facility_info["users"]). A malicious baseurl returned crafted user-shaped JSON; arbitrary smuggled fields were reflected back to the caller. The setup wizard and NetworkLocationFacilitiesView endpoints had the same shape on different remote URLs.

Reproduction

The vulnerability can be reproduced by pointing baseurl at an attacker-controlled HTTP server that:

  • Responds to GET /api/public/info/ with a valid Kolibri info payload (so NetworkClient.build_for_address() succeeds).
  • GET vector: responds to GET /api/public/facilitysearchuser/ with a 302 redirect to the target URL. The redirected response body is reflected via Response(response.json()).
  • POST vector: responds to the relevant remote URL with crafted JSON containing additional fields. The full JSON is reflected.

A working PoC has been retained internally and is not published with this advisory.

Demonstrated impact (pre-fix)

  • Unauthenticated outbound requests from the Kolibri server to any HTTP(S) URL the attacker chose (GET endpoint only; the others required auth or an unprovisioned device).
  • Reflected data exfiltration for any HTTP endpoint that responded to a plain GET with JSON and no special request headers.
  • Cloud metadata reachability was realistic but service-specific:
  • AWS IMDSv1 — reachable
  • DigitalOcean (/metadata/v1.json) — reachable
  • GCP, Azure, AWS IMDSv2 — *not* reachable via this vector (require Metadata-Flavor / Metadata / token headers that the attacker could not inject)
  • Reachability of internal HTTP services on the same network as the Kolibri server, with their JSON responses returned to the attacker.

Not demonstrated

The earlier draft asserted port scanning via a timing oracle and generic "internal network mapping." The reflection vector reads response bodies directly when the target speaks JSON; timing-based scanning of arbitrary TCP services was not demonstrated and is not the headline risk.

Mitigation

Four layers of defence:

  • Response sanitisation. Each affected endpoint now coerces the remote response to a documented shape before returning it. Smuggled fields are dropped.
  • Authentication. The previously-open RemoteFacilityUser* endpoints now require an authenticated caller (or an unprovisioned device, for setup-wizard flows).
  • Cross-host redirect blocking. Remote-fetch HTTP sessions refuse 30x responses that point to a different hostname. Same-host redirects still work.
  • Peer allowlist. Endpoints that accept a caller-supplied baseurl resolve it only to peers Kolibri already knows about, rather than connecting to arbitrary hosts. Discovery and CLI flows that legitimately need to probe new addresses use a separate code path.

Credit

Initial report and identification of the RemoteFacilityUser* viewsets by @beraoudabdelkhalek. Reflection-based PoC, additional vector identification, and remediation by the Kolibri maintainers.

Original report by @beraoudabdelkhalek

Summary

The RemoteFacilityUserViewset API endpoint (/api/auth/remotefacilityuser) has no authentication or permission checks and accepts a user-controlled baseurl parameter. This parameter is passed directly to NetworkClient.build_for_address() which makes server-side HTTP requests to the attacker-specified URL. An unauthenticated attacker can force the Kolibri server to reach out to arbitrary internal hosts, port-scan internal networks, and access cloud metadata endpoints.

Details

This is mainly due to the following issues:

1. Missing authentication on the API endpoint

File: kolibri/core/auth/api.py, line ~1553

class RemoteFacilityUserViewset(views.APIView):  # No permission_classes → AllowAny
    def get(self, request):
        baseurl = request.query_params.get("baseurl", "")
        validator(baseurl)  # Only checks URL format (http/https scheme + valid hostname)
        client = NetworkClient.build_for_address(baseurl)
        response = client.get(url, params={"facility": facility, "search": username})

No permission_classes attribute is defined, and DEFAULT_PERMISSION_CLASSES is not set in the DRF configuration, so the endpoint defaults to AllowAny , accepting requests with zero authentication.

Similarly, RemoteFacilityUserAuthenticatedViewset (line ~1577, POST endpoint) also has no permission_classes, though it currently checks permissions via a different mechanism. The initial build_for_address() call still fires before that check.

2. Weak URL validation

File: kolibri/utils/urls.py, line 1-7

from django.core.validators import URLValidator
validator = URLValidator(schemes=["http", "https"])

The only validation is that the URL has an http or https scheme and a valid hostname. There is no block on:

  • RFC 1918 private IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Loopback addresses (127.0.0.0/8, ::1)
  • Link-local addresses (169.254.0.0/16, including AWS/GCP/Azure metadata endpoints)
  • IPv6 equivalents of any of the above

PoC

Prerequisites: A listener on a host reachable by the Kolibri server (e.g., nc -lvp 1337) the listener can be local or remote.

Against a local Docker deployment (validated against Kolibri 0.19.3):

# Trigger the SSRF no auth headers needed
curl "http://localhost:8080/api/auth/remotefacilityuser?baseurl=http://172.17.0.1:1337&username=test&facility="

The Kolibri server makes an outbound HTTP request to the attacker's listener:

GET /api/public/info/?v=3 HTTP/1.1
Host: 172.17.0.1:1337
User-Agent: Kolibri/0.19.3 python-requests/2.27.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

Testers have also confirmed the issue against live deployments of Kolibri.

Impact

Unauthenticated SSRF : any attacker who can reach the Kolibri server can make it issue HTTP requests to arbitrary hosts, with no credentials needed Internal network scanning : the built-in port scanning behavior (5+ ports per HTTP target, 24+ connection attempts per request) allows mapping internal networks through the timing oracle Cloud metadata access : if Kolibri runs on a cloud VM (AWS EC2, GCP, Azure), the attacker can reach 169.254.169.254 and potentially exfiltrate IAM credentials and instance metadata Internal service discovery : other Kolibri instances or internal services on the network can be discovered and their API responses read by the attacker Blind SSRF via POST endpoint : RemoteFacilityUserAuthenticatedViewset returns 403 to the attacker but still makes the outbound request before the permission check

CVSS v3
5.8
EG Score
5.8(low)
EPSS
15.1%
KEV
Not listed

Published

June 11, 2026

Last Modified

June 11, 2026

Vendor Advisories for CVE-2026-48053(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
PyPI(1)
PackageVulnerable rangeFixed inDependents
kolibri0.0.1.dev20160531112859 ... 0.9.2 (126 versions)0.19.4

Data Freshness Timeline

(refreshed 6× in last 7d / 27× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 02:51 UTCEG score recompute
  2. 2026-07-05 11:45 UTCEG score recompute
  3. 2026-07-04 11:23 UTCEG score recompute
  4. 2026-07-03 07:43 UTCEG score recompute
  5. 2026-07-02 03:33 UTCEG score recompute
  6. 2026-07-01 03:15 UTCEG score recompute
  7. 2026-06-30 02:57 UTCEG score recompute
  8. 2026-06-29 02:39 UTCEG score recompute
  9. 2026-06-28 02:22 UTCEG score recompute
  10. 2026-06-27 02:05 UTCEG score recompute
  11. 2026-06-26 01:47 UTCEG score recompute
  12. 2026-06-25 01:29 UTCEG score recompute
  13. 2026-06-24 01:12 UTCEG score recompute
  14. 2026-06-23 00:53 UTCEG score recompute
  15. 2026-06-22 00:04 UTCEG score recompute
  16. 2026-06-20 21:10 UTCEG score recompute
  17. 2026-06-19 20:36 UTCEG score recompute
  18. 2026-06-18 20:18 UTCEG score recompute
  19. 2026-06-17 19:49 UTCEG score recompute
  20. 2026-06-16 19:29 UTCEG score recompute
  21. 2026-06-15 19:12 UTCEG score recompute
  22. 2026-06-14 23:18 UTCEPSS rescore
  23. 2026-06-14 18:54 UTCEG score recompute
  24. 2026-06-13 18:37 UTCEG score recompute
  25. 2026-06-12 23:12 UTCEPSS rescore
Show 2 more
  1. 2026-06-12 18:16 UTCEG score recompute
  2. 2026-06-11 17:56 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-48053?
CVE-2026-48053 is a medium vulnerability published on June 11, 2026. Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset Summary Several Kolibri API endpoints accept an unvalidated baseurl parameter and fetch attacker-controlled URLs from the Kolibri server, reflecting the response body back to the caller. The original report…
When was CVE-2026-48053 disclosed?
CVE-2026-48053 was first published in the National Vulnerability Database on June 11, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-48053 actively exploited?
CVE-2026-48053 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 15.1% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-48053?
CVE-2026-48053 has a CVSS v4.0 base score of 5.8 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-48053?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48053, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48053

Explore →

Is Your Infrastructure Affected by CVE-2026-48053?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.