Platform
go
Component
github.com/pinchtab/pinchtab
Fixed in
0.7.8
0.7.7
CVE-2026-30834 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in PinchTab, a Go application. This flaw allows attackers to exfiltrate full responses through the download handler, potentially exposing sensitive data. The vulnerability impacts versions of PinchTab before 0.7.7, and a patch has been released to address the issue.
The SSRF vulnerability in PinchTab allows an attacker to craft malicious requests that the application forwards to internal or external resources. Because the download handler allows full response exfiltration, an attacker could potentially retrieve sensitive data from internal services or external websites that PinchTab is configured to access. This could include API keys, database credentials, or other confidential information. The blast radius extends to any resources accessible by the PinchTab instance, potentially impacting internal network services and external data sources.
CVE-2026-30834 was publicly disclosed on 2026-03-10. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
The primary mitigation for CVE-2026-30834 is to upgrade PinchTab to version 0.7.7 or later, which includes the fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block suspicious outbound requests. Restrict network access to the PinchTab instance to only necessary resources. Thoroughly review and validate any external URLs used by the download handler to prevent unintended access to sensitive data. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked or handled securely.
Update PinchTab to version 0.7.7 or higher. This version contains the fix for the SSRF vulnerability. You can update using the Python package manager, pip, by running `pip install --upgrade pinchtab`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30834 is a Server-Side Request Forgery (SSRF) vulnerability in PinchTab, allowing attackers to exfiltrate full responses via the download handler.
You are affected if you are running a version of PinchTab prior to 0.7.7. Upgrade to the latest version to mitigate the risk.
Upgrade PinchTab to version 0.7.7 or later. Consider implementing WAF rules and restricting network access as temporary mitigations.
There is currently no indication of active exploitation campaigns for CVE-2026-30834.
Refer to the PinchTab project's GitHub repository for updates and advisories related to CVE-2026-30834: [https://github.com/pinchtab/pinchtab](https://github.com/pinchtab/pinchtab)
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.