CVE-2026-33619

Name of the Vulnerable Software and Affected Versions PinchTab versions prior to 0.8.4

Description PinchTab includes an optional scheduler that, in version 0.8.3, had a server-side request forgery issue in its webhook delivery path. When a task is submitted to the POST /tasks endpoint with a user-controlled callbackUrl, the scheduler sends an outbound HTTP POST request to that URL when the task reaches a terminal state. The v0.8.3 release only validated the URL scheme and did not reject loopback, private, link-local, or other non-public destinations. The implementation also followed redirects and did not pin the destination to validated IPs, allowing a blind SSRF from the PinchTab server to attacker-chosen HTTP(S) targets reachable from the server. The issue is narrower than a general unauthenticated internet-facing SSRF, as the scheduler is optional and off by default, and in token-protected deployments, an attacker must already be able to submit tasks using the server's master API token. The callbackUrl parameter was accepted without server-side validation.

Recommendations Update to PinchTab version 0.8.4 or later.