Plattform
other
Komponente
ghostfolio
Behoben in
2.245.1
CVE-2026-28680 describes a critical Server-Side Request Forgery (SSRF) vulnerability discovered in Ghostfolio, an open-source wealth management software. This flaw allows attackers to leverage the manual asset import feature to potentially access sensitive data and internal network resources. Versions of Ghostfolio prior to 2.245.0 are affected, and a patch is available in version 2.245.0.
The SSRF vulnerability in Ghostfolio presents a significant risk. An attacker could exploit this flaw to exfiltrate sensitive cloud metadata, such as Instance Metadata Service (IMDS) data from cloud environments. This data often contains credentials and configuration details that could be used to compromise the entire cloud infrastructure. Furthermore, the attacker could use the SSRF to probe internal network services, potentially identifying other vulnerable systems or sensitive data stores within the organization's network. The potential blast radius extends beyond the Ghostfolio instance itself, potentially impacting the entire underlying infrastructure.
CVE-2026-28680 was publicly disclosed on 2026-03-06. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it likely that a PoC will emerge. The EPSS score is likely to be medium, given the critical CVSS score and the potential for significant data exfiltration. It has not yet been added to the CISA KEV catalog.
Organizations utilizing Ghostfolio for wealth management, particularly those deploying it in cloud environments or with direct access to internal network resources, are at significant risk. Shared hosting environments where Ghostfolio is installed could also be vulnerable, as attackers may be able to exploit the vulnerability through other tenants.
disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28680 is to immediately upgrade Ghostfolio to version 2.245.0 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict network access to the Ghostfolio server to only necessary services. Implement strict input validation on the manual asset import feature to prevent malicious URLs. Consider using a Web Application Firewall (WAF) with SSRF protection rules to block suspicious requests. Regularly review Ghostfolio's configuration and access controls. After upgrading, confirm the fix by attempting a manual asset import with a known malicious URL and verifying that the request is blocked.
Aktualisieren Sie Ghostfolio auf Version 2.245.0 oder höher. Diese Version behebt die SSRF-Schwachstelle in der Funktion zum manuellen Import von Assets.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28680 is a critical SSRF vulnerability affecting Ghostfolio versions prior to 2.245.0. It allows attackers to exfiltrate sensitive data and probe internal services via the asset import feature.
Yes, if you are running Ghostfolio version 2.245.0 or earlier, you are vulnerable to this SSRF attack. Upgrade immediately.
Upgrade Ghostfolio to version 2.245.0 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting network access and validating asset import inputs.
As of the public disclosure date, there are no confirmed reports of active exploitation, but the CRITICAL severity warrants immediate attention and mitigation.
Refer to the official Ghostfolio security advisory for detailed information and updates regarding CVE-2026-28680: [https://ghostfolio.org/security/advisories](https://ghostfolio.org/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.