Plattform
go
Komponente
github.com/pinchtab/pinchtab
Behoben in
0.7.8
0.7.7
CVE-2026-30834 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in PinchTab, a Go application. This flaw allows attackers to exfiltrate full responses through the download handler, potentially exposing sensitive data. The vulnerability impacts versions of PinchTab before 0.7.7, and a patch has been released to address the issue.
The SSRF vulnerability in PinchTab allows an attacker to craft malicious requests that the application forwards to internal or external resources. Because the download handler allows full response exfiltration, an attacker could potentially retrieve sensitive data from internal services or external websites that PinchTab is configured to access. This could include API keys, database credentials, or other confidential information. The blast radius extends to any resources accessible by the PinchTab instance, potentially impacting internal network services and external data sources.
CVE-2026-30834 was publicly disclosed on 2026-03-10. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations deploying PinchTab in environments with access to sensitive internal resources or external APIs are at risk. Specifically, those using PinchTab as a proxy or gateway for accessing internal services are particularly vulnerable, as the SSRF vulnerability could be leveraged to bypass access controls and retrieve confidential data.
• go / application: Inspect PinchTab configuration files for any unusual or unexpected URLs in the download handler.
grep -r 'download_url' /path/to/pinchtab/config/*.yaml• generic web: Monitor access logs for unusual outbound requests originating from the PinchTab server. Look for requests to internal IP addresses or unexpected domains.
curl -v <pinchtab_url>/download?url=<suspicious_url>disclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-30834 is to upgrade PinchTab to version 0.7.7 or later, which includes the fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block suspicious outbound requests. Restrict network access to the PinchTab instance to only necessary resources. Thoroughly review and validate any external URLs used by the download handler to prevent unintended access to sensitive data. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked or handled securely.
Aktualisieren Sie PinchTab auf Version 0.7.7 oder höher. Diese Version enthält die Korrektur für die SSRF-Vulnerabilität. Sie können aktualisieren mit dem Python-Paketmanager, pip, indem Sie `pip install --upgrade pinchtab` ausführen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-30834 is a Server-Side Request Forgery (SSRF) vulnerability in PinchTab, allowing attackers to exfiltrate full responses via the download handler.
You are affected if you are running a version of PinchTab prior to 0.7.7. Upgrade to the latest version to mitigate the risk.
Upgrade PinchTab to version 0.7.7 or later. Consider implementing WAF rules and restricting network access as temporary mitigations.
There is currently no indication of active exploitation campaigns for CVE-2026-30834.
Refer to the PinchTab project's GitHub repository for updates and advisories related to CVE-2026-30834: [https://github.com/pinchtab/pinchtab](https://github.com/pinchtab/pinchtab)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.