VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 15, 2026

CVE-2026-50887

CVE-2026-50887

Description

Shlink v5.0.1 with AUTO_RESOLVE_TITLES enabled allows authenticated SSRF via crafted longUrl in short URL creation, enabling internal network scanning.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Shlink v5.0.1 with AUTO_RESOLVE_TITLES enabled allows authenticated SSRF via crafted longUrl in short URL creation, enabling internal network scanning.

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in Shlink v5.0.1 (AUTO_RESOLVE_TITLES configuration option enabled). When creating or editing a short URL without an explicit title, the longUrl field is passed to the title resolution helper, which issues a server-side GET request to the domain extracted from the longUrl [1]. The application validates that the value is URL-shaped but does not block internal addresses before the fetch, allowing an attacker to specify http://127.0.0.1:8080/ or other internal destinations.

Exploitation

An attacker must have a valid API key (authentication is required). The conditions are that AUTO_RESOLVE_TITLES is true and no title parameter is supplied in the short URL creation or edit request [1]. The attacker sets the longUrl to an internal resource (e.g., http://192.168.1.1/admin). The Shlink server then sends a GET request to that internal address. The attacker can set up a listener on an internal service to receive this connection [1]. If the target returns HTML with a `` tag, that title value is stored and potentially returned in the short URL response, enabling limited information disclosure.

Impact

Successful exploitation grants an authenticated attacker the ability to probe internal network services that are reachable from the Shlink server. The attacker can discover open ports, identify running services, and potentially extract a fragment of information through the resolved page title [1]. This can aid in further attacks against internal infrastructure.

Mitigation

As of the available references, no official patch has been released for Shlink v5.0.1 [1]. The workaround is to disable AUTO_RESOLVE_TITLES in the configuration, or to always supply an explicit title when creating or editing short URLs. If the feature is required, restrict outbound network access from the Shlink server (e.g., using a firewall or proxy rules) to prevent connections to private IP ranges.

References
  1. Reference for CVE-2026-50887

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Shlinkio/Shlinkinferred2 versions
    = 5.0.1+ 1 more
    • (no CPE)range: = 5.0.1
    • (no CPE)range: =5.0.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing internal-address validation on the longUrl before the server-side title-resolution HTTP request is made."

Attack vector

An attacker with a valid API key sends an authenticated short URL creation or edit request with `longUrl` set to an internal address (e.g., `http://127.0.0.1:8080/`) and omits the title parameter. Because `AUTO_RESOLVE_TITLES` is enabled, the Shlink server issues a server-side GET request to that internal URL via its configured HTTP client. The response's `<title>` content is extracted and stored or returned with the short URL, giving the attacker both an outbound request primitive and limited response-content disclosure [ref_id=1].

Affected code

The automatic short URL title resolution component in Shlink 5.0.1 is affected. The create/edit flows pass the submitted `longUrl` into the title-resolution helper when `AUTO_RESOLVE_TITLES` is enabled and no explicit title is supplied. The long URL validation accepts URL-shaped values without enforcing an internal-address block before the title fetch [ref_id=1].

What the fix does

The advisory does not include a published patch. The recommended remediation is to enforce an internal-address block (deny-list or allow-list) on the `longUrl` value before the title-resolution HTTP request is made, or to disable `AUTO_RESOLVE_TITLES` when it is not required [ref_id=1].

Preconditions

  • configAUTO_RESOLVE_TITLES must be enabled in the Shlink configuration
  • authAttacker must possess a valid API key for the Shlink instance
  • networkAttacker must be able to reach the Shlink API over the network
  • inputThe request must omit an explicit title parameter

Reproduction

1. Enable `AUTO_RESOLVE_TITLES` in Shlink 5.0.1. 2. Start a server-reachable listener that returns HTML containing `<title>internal-ok</title>`. 3. Send an authenticated short URL creation request without a title, using `longUrl` set to the listener URL (e.g., `http://127.0.0.1:8080/`). 4. Observe the listener receiving a GET request from the Shlink server. 5. Observe the created short URL storing or returning the resolved title value `internal-ok` [ref_id=1].

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.