HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45012Published Modified CNA GitHub_M

CVE-2026-45012: Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses, the fetched content can be persisted and re-hosted by Apostrophe, allowing response exfiltration. As of time of publication, no known patched versions are available.

Metrics

CVSS v3.1
7.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authenticated server-side request forgery (SSRF) vulnerability exists in ApostropheCMS versions up to and including 4.29.0, affecting the rich-text widget import flow via the @apostrophecms/area/validate-widget endpoint. An attacker with any valid login capable of editing rich-text widget content can force the server to issue HTTP requests to attacker-controlled URLs during widget validation. Successful exploitation allows the attacker to read internal network resources, exfiltrate those responses through Apostrophe's own media hosting, and cause limited data tampering and service degradation. No patched version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-45012 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle apostrophecms/apostrophe at or below version 4.29.0. Any registry or CI pipeline image containing an affected version is flagged automatically on each scan cycle.

Available
Triage

HarborGuard scores this CVE at CVSS 7.6 (HIGH) and surfaces it accordingly in each customer's triage queue, with per-environment compliance policy weighting applied to prioritize it relative to other open findings. Routing rules direct the alert to the team or inbox configured for the affected workload within each customer organization.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fixed version of apostrophecms/apostrophe appears upstream. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention once a fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the ApostropheCMS service via HTTP/HTTPS.

  • AuthenticationRequired

    Any low-privilege account with permission to create or edit rich-text widget content is sufficient to trigger the SSRF; no admin access is needed.

  • Victim interactionNot required

    No victim action is required; the attacker submits the malicious widget payload directly to the server.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: submitting a crafted URL in the widget import payload is sufficient with no race conditions or special environmental setup needed.

Blast Radius

  • The server issues outbound HTTP requests to attacker-controlled or internal URLs, exposing internal services, cloud metadata endpoints (such as AWS IMDSv1), and other resources unreachable from outside the network.
  • For image-compatible responses, the fetched content is persisted and re-hosted by Apostrophe, giving the attacker a durable copy of exfiltrated internal data accessible via the CMS media layer.
  • The attacker can write limited data through the persistence mechanism, modifying what Apostrophe stores and serves as media assets.
  • Repeated or large-payload SSRF requests can degrade server responsiveness, causing partial availability loss for the affected CMS instance.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-45012 at this time, HarborGuard continuously monitors the advisory and will trigger a patched-image rebuild the moment apostrophecms/apostrophe publishes a fix version. For customers who opt into auto-remediation, that rebuild will be followed immediately by a regression-test run and a PR opened against any affected workload, with a typical median time from CVE publication to merged patch PR of around 90 minutes for HIGH-severity issues once a fix is available. In the interim, compensating controls worth considering include applying Kubernetes NetworkPolicy or equivalent egress filtering rules to block unexpected outbound connections from ApostropheCMS pods (particularly to RFC-1918 ranges and cloud metadata addresses such as 169.254.169.254), restricting the widget-editing permission to the smallest necessary set of authenticated users through Apostrophe's role configuration, and using an HTTP egress proxy with an allowlist to intercept and reject server-initiated fetches to unauthorized destinations. HarborGuard will surface a new finding automatically if the upstream advisory is updated with a patched version or revised impact scope.

See how HarborGuard automates this
Affected packages
  • apostrophecms / apostrophe
    <= 4.29.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
References