Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset
Description
Several Kolibri API endpoints accept an unvalidated baseurl parameter, enabling SSRF and response reflection, with one endpoint unauthenticated.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Several Kolibri API endpoints accept an unvalidated baseurl parameter, enabling SSRF and response reflection, with one endpoint unauthenticated.
Vulnerability
Multiple Kolibri API endpoints accept an unvalidated baseurl parameter and fetch attacker-controlled URLs, reflecting the response body back to the caller. The affected endpoints are: GET /api/auth/remotefacilityuser (unauthenticated), POST /api/auth/remotefacilityauthenticateduserinfo, POST /api/public/setupwizard/loddata, and GET /api/public/networklocation//facilities/. The root cause is a combination of response reflection and lack of restriction on the remote target, allowing requests to any host that responds as a Kolibri server, including following 30x redirects. Versions prior to 0.19.4 are affected [1][2][3].
Exploitation
An attacker can send a crafted request to one of the vulnerable endpoints with a malicious baseurl. For the unauthenticated GET endpoint, no authentication is required. The server fetches the provided URL, which can be set to return a 302 redirect to an arbitrary internal service (e.g., cloud metadata endpoint). The Kolibri server follows the redirect and returns the redirected response body to the attacker. For authenticated endpoints, similar steps apply but require valid credentials [2][3].
Impact
Successful exploitation allows an attacker to perform Server-Side Request Forgery (SSRF), reading responses from internal services accessible from the Kolibri server. This can lead to information disclosure, including cloud metadata tokens or other internal data. The severity is amplified by the unauthenticated nature of one endpoint [2][3].
Mitigation
The issue is fixed in Kolibri version 0.19.4, released alongside this advisory [1]. Users should upgrade to this version or later. No known workarounds exist for unpatched versions. The vulnerability is not listed in CISA KEV as of publication [1][2][3].
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 0.19.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Two compounding issues: (1) response reflection — endpoints return the remote server's JSON body verbatim to the caller; (2) no restriction on the remote target — baseurl is validated only by URLValidator(schemes=["http", "https"]) with no block on private IPs, and requests follows 30x redirects by default. [ref_id=1]"
Attack vector
An attacker sends a request to one of the affected endpoints with a `baseurl` parameter pointing to an attacker-controlled HTTP server. The Kolibri server connects to that server via `NetworkClient.build_for_address()`, which only validates the URL scheme (http/https) and hostname format — no block on private or loopback IPs [ref_id=1]. For the GET vector, the attacker's server responds with a 302 redirect to an arbitrary internal URL (e.g., cloud metadata endpoint), and `requests` follows the redirect, reflecting the redirected response body back to the attacker. For the POST vector, the attacker's server returns crafted JSON with smuggled fields that are reflected verbatim. The GET endpoint requires no authentication; the POST endpoint checks authentication against the remote server rather than the local Kolibri. [ref_id=1]
Affected code
The four affected endpoints are `RemoteFacilityUserViewset` (`kolibri/core/auth/api.py:1570`), `RemoteFacilityUserAuthenticatedViewset` (`kolibri/core/auth/api.py:1594`), the setup wizard's remote-signup proxy (`kolibri/plugins/setup_wizard/api.py`), and `NetworkLocationFacilitiesView` (`kolibri/core/discovery/api.py`). All four return the remote server's JSON body verbatim via `Response(response.json())` or equivalent patterns. [ref_id=1]
What the fix does
The patch applies four layers of defense: (1) response sanitization — each endpoint now coerces the remote response to a documented shape before returning it, dropping smuggled fields; (2) authentication — the previously-open `RemoteFacilityUser*` endpoints now require an authenticated caller (or an unprovisioned device for setup-wizard flows); (3) cross-host redirect blocking — remote-fetch HTTP sessions refuse 30x responses pointing to a different hostname; (4) peer allowlist — endpoints accepting a caller-supplied `baseurl` resolve it only to peers Kolibri already knows about. [ref_id=1]
Preconditions
- networkThe attacker must be able to reach the Kolibri server's HTTP API (network access).
- authFor the GET endpoint, no authentication is required. For the POST endpoint, authentication is checked against the remote server, not the local Kolibri.
- inputThe attacker must control an HTTP server that responds with a valid Kolibri-shaped /api/public/info/ payload to pass the NetworkClient.build_for_address() check.
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.