CVE-2026-30118

Vulnerability

The Scalar proxy endpoint in scalar/astro v0.1.13 accepts a scalar_url query parameter that is passed directly to a server-side HTTP fetcher without validation. The fetch request forwards the full Cookie header and other request headers from the inbound client request verbatim to the attacker-supplied destination. The vulnerability exists in the proxy endpoint (e.g., proxy.scalar.com or any self-hosted instance) and is reachable without authentication [1].

Exploitation

An unauthenticated attacker sends a crafted GET request to the proxy endpoint with an attacker-controlled URL as the scalar_url parameter. The backend server (running on GCP infrastructure for the hosted instance) performs a server-side fetch to that URL, copying the victim's Cookie header and other forwarded headers (e.g., X-Forwarded-For) into the outbound request. The attacker can capture these forwarded headers on their own HTTP listener, thereby exfiltrating cookies from the victim's session [1].

Impact

On Scalar's hosted instance (proxy.scalar.com), the leaked cookies do not include authentication tokens (stored in localStorage). However, they expose analytics and team/workspace identifiers (e.g., scalar-team-uid, _li_dcdm_c, _lc2_fpi, ph_phc_..._posthog). For self-hosted deployments that use domain-scoped authentication cookies, this SSRF could lead to full account takeover and privilege escalation. The vulnerability is rated CVSS 9.8 (Critical) due to the potential for unauthenticated remote exploitation and credential exposure [1].

Mitigation

As of the published advisory, no fixed version is mentioned. Users of scalar/astro v0.1.13 are advised to restrict access to the proxy endpoint and, if self-hosted, ensure no authentication cookies are set on a scope that the proxy can read. A vendor patch or update is expected; administrators should monitor the official repository for a patched release [1].