CVE-2026-28508

Name of the Vulnerable Software and Affected Versions Idno versions prior to 1.6.4

Description A flaw exists in the API authentication flow of Idno that allows bypassing of CSRF protection on the URL unfurl service endpoint. This is due to the absence of a login requirement on the endpoint and a logic error in the authentication process. An unauthenticated remote attacker can exploit this to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. The vulnerability is related to the Idno/Pages/Service/Web/UrlUnfurl.php, Idno/Core/Session.php, and Idno/Core/Actions.php components. The affected endpoint is the GET request to '/service/web/unfurl?url=', handled by the IdnoPagesServiceWebUrlUnfurl::getContent() function. The issue arises because the setIsAPIRequest(true) function is called unconditionally before credential verification, allowing an attacker to bypass the token gatekeeper by providing any non-empty values for the X-IDNO-USERNAME and X-IDNO-SIGNATURE headers. This allows access to internal services and potential exfiltration of sensitive information, such as cloud instance metadata.

Recommendations Versions prior to 1.6.4 should be updated to version 1.6.4 or later. Move setIsAPIRequest(true) to after successful HMAC verification. Block private address ranges in the unfurl function to prevent requests to RFC 1918 addresses, loopback, and link-local ranges.