VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 15, 2026

CVE-2026-50886

CVE-2026-50886

Description

Firefly III v6.5.9 lacks access control in webhook management, allowing low-privileged authenticated users to create and trigger webhooks to internal HTTP services via SSRF.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Firefly III v6.5.9 lacks access control in webhook management, allowing low-privileged authenticated users to create and trigger webhooks to internal HTTP services via SSRF.

Vulnerability

Firefly III v6.5.9 contains an access control vulnerability in the webhook management component. The API endpoints for creating and updating webhooks do not enforce the dedicated webhook management role, allowing any low-privileged authenticated user to create webhooks. Additionally, the webhook URL validator explicitly accepts IPv4 loopback addresses in 127.0.0.0/8, enabling server-side requests to internal services [1].

Exploitation

An attacker must be an authenticated, non-owner user on a deployment where webhooks are enabled. The attacker first creates a webhook via POST /api/v1/webhooks with a target URL pointing to an internal service (e.g., http://127.0.0.1:8080/hit). Then, the attacker creates a transaction group via the normal transaction API and triggers the webhook with POST /api/v1/webhooks/{webhook_id}/trigger-transaction/{transactionGroup_id}. This causes the server to send a POST request to the specified internal URL [1].

Impact

Successful exploitation results in authenticated Server-Side Request Forgery (SSRF) from the Firefly III server. An attacker can interact with localhost services or, depending on deployment networking, other internal HTTP services reachable by the Firefly III host. The specific impact depends on the sensitivity of those internal services [1].

Mitigation

As of the publication date (2026-06-15), no fixed version was announced in the available references. Administrators should restrict access to the webhook feature by disabling it for untrusted users or network-segmenting the Firefly III server from sensitive internal services. Monitor for unauthorized webhook creations or trigger events [1].

References
  1. Reference for CVE-2026-50886

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing role enforcement on webhook create/update/trigger APIs combined with acceptance of loopback URLs allows authenticated SSRF."

Attack vector

A low-privileged authenticated API user creates a webhook with a loopback URL (e.g., `http://127.0.0.1:8080/hit`), then creates a transaction group and triggers delivery via `POST /api/v1/webhooks/{webhook}/trigger-transaction/{transactionGroup}`. The server sends a Guzzle POST request to the attacker-controlled URL, enabling SSRF against localhost or other reachable internal HTTP services [ref_id=1].

Affected code

The webhook create and update API request classes in Firefly III v6.5.9 leave the accepted role list empty instead of enforcing the dedicated webhook management role, and the webhook URL validator explicitly accepts IPv4 loopback addresses in 127.0.0.0/8 [ref_id=1].

What the fix does

The advisory does not provide a patch diff. The recommended fix is to enforce the dedicated webhook management role on the create, update, and trigger API paths, and to reject loopback addresses in the webhook URL validator [ref_id=1].

Preconditions

  • configWebhooks must be enabled on the deployment
  • authAttacker must be an authenticated non-owner API user
  • inputAttacker must be able to create a transaction group via the normal transaction API

Reproduction

1. Authenticate to Firefly III 6.5.9 as a non-owner user on a deployment where webhooks are enabled. 2. Create a webhook with `POST /api/v1/webhooks` and set its `url` field to `http://127.0.0.1:8080/hit` or another server-reachable listener. 3. Create a transaction group owned by the same user through the normal transaction API. 4. Trigger delivery with `POST /api/v1/webhooks/{webhook_id}/trigger-transaction/{transactionGroup_id}`. 5. Observe the listener receiving a POST request from the Firefly III host with Firefly webhook headers such as the Firefly user agent or signature header, confirming server-side delivery.

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.