Idno: Unauthenticated SSRF via URL Unfurl Endpoint
Description
Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A logic error in Idno ≤1.6.3 lets unauthenticated attackers bypass CSRF protection and trigger SSRF via the URL unfurl endpoint, accessing internal services.
Vulnerability
CVE-2026-28508 is a server-side request forgery (SSRF) vulnerability in the Idno social publishing platform, affecting versions prior to 1.6.4. The root cause is a logic error in the API authentication flow of the API authentication checks for the URL unfurl service endpoint (/service/web/unfurl). The original authentication gatekeeper ($this->gatekeeper()) was explicitly removed from UrlUnfurl::getContent() with a comment indicating the endpoint needed to remain accessible to logged-out users, leaving only two weaker gatekeepers: xhrGatekeeper() and tokenGatekeeper() [1].
Exploitation
An unauthenticated remote attacker can trivially bypass the remaining CSRF protection. The xhrGatekeeper() only checks for the X-Requested-With: XMLHttpRequest header, which can be added by any client. The tokenGatekeeper() is also bypassed due to the same logic flaw, as detailed in the advisory [1]. Because no login is required, the attacker can send a crafted GET request to the unfurl endpoint with a controlled url parameter, forcing the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services [1][2].
Impact
Successful exploitation allows an attacker to read the response content from internal services, potentially exposing sensitive information such as cloud provider metadata (e.g., AWS, GCP credentials) or other internal resources. The CVSSv The CVSSv4 base score is 9.2 (High), reflecting the low attack complexity and high confidentiality impact [1].
Mitigation
The vulnerability has been patched in Idno version 1.6.4, released on the same day as the advisory [4]. Users are strongly advised to upgrade immediately to 1.6.4 or later. No workarounds are documented; the fix addresses the CSRF bypass and ensures proper authentication for the endpoint [1][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
idno/knownPackagist | < 1.6.4 | 1.6.4 |
Affected products
2- idno/idnov5Range: < 1.6.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-fcrh-fqxh-6fx6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28508ghsaADVISORY
- github.com/idno/idno/releases/tag/1.6.4ghsax_refsource_MISCWEB
- github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.