Plataforma
go
Componente
github.com/pinchtab/pinchtab
Corregido en
0.7.8
0.7.7
CVE-2026-30834 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in PinchTab, a Go application. This flaw allows attackers to exfiltrate full responses through the download handler, potentially exposing sensitive data. The vulnerability impacts versions of PinchTab before 0.7.7, and a patch has been released to address the issue.
The SSRF vulnerability in PinchTab allows an attacker to craft malicious requests that the application forwards to internal or external resources. Because the download handler allows full response exfiltration, an attacker could potentially retrieve sensitive data from internal services or external websites that PinchTab is configured to access. This could include API keys, database credentials, or other confidential information. The blast radius extends to any resources accessible by the PinchTab instance, potentially impacting internal network services and external data sources.
CVE-2026-30834 was publicly disclosed on 2026-03-10. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations deploying PinchTab in environments with access to sensitive internal resources or external APIs are at risk. Specifically, those using PinchTab as a proxy or gateway for accessing internal services are particularly vulnerable, as the SSRF vulnerability could be leveraged to bypass access controls and retrieve confidential data.
• go / application: Inspect PinchTab configuration files for any unusual or unexpected URLs in the download handler.
grep -r 'download_url' /path/to/pinchtab/config/*.yaml• generic web: Monitor access logs for unusual outbound requests originating from the PinchTab server. Look for requests to internal IP addresses or unexpected domains.
curl -v <pinchtab_url>/download?url=<suspicious_url>disclosure
Estado del Exploit
EPSS
0.01% (2% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-30834 is to upgrade PinchTab to version 0.7.7 or later, which includes the fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block suspicious outbound requests. Restrict network access to the PinchTab instance to only necessary resources. Thoroughly review and validate any external URLs used by the download handler to prevent unintended access to sensitive data. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked or handled securely.
Actualice PinchTab a la versión 0.7.7 o superior. Esta versión contiene la corrección para la vulnerabilidad SSRF. Puede actualizar usando el gestor de paquetes de Python, pip, ejecutando `pip install --upgrade pinchtab`.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-30834 is a Server-Side Request Forgery (SSRF) vulnerability in PinchTab, allowing attackers to exfiltrate full responses via the download handler.
You are affected if you are running a version of PinchTab prior to 0.7.7. Upgrade to the latest version to mitigate the risk.
Upgrade PinchTab to version 0.7.7 or later. Consider implementing WAF rules and restricting network access as temporary mitigations.
There is currently no indication of active exploitation campaigns for CVE-2026-30834.
Refer to the PinchTab project's GitHub repository for updates and advisories related to CVE-2026-30834: [https://github.com/pinchtab/pinchtab](https://github.com/pinchtab/pinchtab)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo go.mod y te decimos al instante si estás afectado.