Home

Description

Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.

PUBLISHED Reserved 2026-06-26 | Published 2026-06-29 | Updated 2026-07-14 | Assigner VulnCheck




MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N

HIGH: 8.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Problem types

Server-Side Request Forgery (SSRF)

Product status

Default status
unaffected

Any version
affected

Credits

George Chen finder

References

github.com/pinpoint-apm/pinpoint/issues/13857 (Researcher Disclosure) issue-tracking

www.vulncheck.com/...-forgery-via-alarm-webhook-registration third-party-advisory

cve.org (CVE-2026-57947)

nvd.nist.gov (CVE-2026-57947)

Download JSON