プラットフォーム
go
コンポーネント
github.com/pinchtab/pinchtab
修正版
0.7.8
0.7.7
CVE-2026-30834 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in PinchTab, a Go application. This flaw allows attackers to exfiltrate full responses through the download handler, potentially exposing sensitive data. The vulnerability impacts versions of PinchTab before 0.7.7, and a patch has been released to address the issue.
The SSRF vulnerability in PinchTab allows an attacker to craft malicious requests that the application forwards to internal or external resources. Because the download handler allows full response exfiltration, an attacker could potentially retrieve sensitive data from internal services or external websites that PinchTab is configured to access. This could include API keys, database credentials, or other confidential information. The blast radius extends to any resources accessible by the PinchTab instance, potentially impacting internal network services and external data sources.
CVE-2026-30834 was publicly disclosed on 2026-03-10. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations deploying PinchTab in environments with access to sensitive internal resources or external APIs are at risk. Specifically, those using PinchTab as a proxy or gateway for accessing internal services are particularly vulnerable, as the SSRF vulnerability could be leveraged to bypass access controls and retrieve confidential data.
• go / application: Inspect PinchTab configuration files for any unusual or unexpected URLs in the download handler.
grep -r 'download_url' /path/to/pinchtab/config/*.yaml• generic web: Monitor access logs for unusual outbound requests originating from the PinchTab server. Look for requests to internal IP addresses or unexpected domains.
curl -v <pinchtab_url>/download?url=<suspicious_url>disclosure
エクスプロイト状況
EPSS
0.01% (2% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-30834 is to upgrade PinchTab to version 0.7.7 or later, which includes the fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block suspicious outbound requests. Restrict network access to the PinchTab instance to only necessary resources. Thoroughly review and validate any external URLs used by the download handler to prevent unintended access to sensitive data. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked or handled securely.
PinchTab をバージョン 0.7.7 以降にアップデートしてください。このバージョンには SSRF の脆弱性に対する修正が含まれています。Python のパッケージマネージャー pip を使用して、`pip install --upgrade pinchtab` を実行することでアップデートできます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-30834 is a Server-Side Request Forgery (SSRF) vulnerability in PinchTab, allowing attackers to exfiltrate full responses via the download handler.
You are affected if you are running a version of PinchTab prior to 0.7.7. Upgrade to the latest version to mitigate the risk.
Upgrade PinchTab to version 0.7.7 or later. Consider implementing WAF rules and restricting network access as temporary mitigations.
There is currently no indication of active exploitation campaigns for CVE-2026-30834.
Refer to the PinchTab project's GitHub repository for updates and advisories related to CVE-2026-30834: [https://github.com/pinchtab/pinchtab](https://github.com/pinchtab/pinchtab)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。