HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47170Published Modified CNA GitHub_M

CVE-2026-47170: Garlic-Hub: SSRF vulnerability in uploadFromUrl endpoint

Garlic-Hub manages digital signage network — devices, content, and playlists — from a single self-hosted interface. Prior to version 1.1, authenticated users can cause the server to issue arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. This allows internal port scanning, service fingerprinting, and retrieval of internal HTTP responses which are stored in the publicly accessible media pool. This issue has been patched in version 1.1.

Metrics

CVSS v3.1
7.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A server-side request forgery (SSRF) vulnerability affects Garlic-Hub, a self-hosted digital signage management platform. The flaw is reachable over the network and requires only a low-privilege authenticated account; no victim interaction is needed. A successful attacker can direct the Garlic-Hub server to issue arbitrary HTTP requests against internal services, enabling internal port scanning, service fingerprinting, and exfiltration of internal HTTP responses via the publicly accessible media pool. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that package Garlic-Hub. Any image running a version of garlic-hub prior to 1.1 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 7.7 HIGH using the published v3.1 vector and weights it further against each customer environment's compliance policy, routing the alert to the appropriate team inbox within the customer org.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers ship a release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The uploadFromUrl endpoint is exposed over the network, so the attacker must be able to reach the Garlic-Hub instance across the internet or an internal network.

  • AuthenticationRequired

    Any low-privilege authenticated account is sufficient to trigger the SSRF; no administrative or elevated permissions are needed.

  • Victim interactionNot required

    The attacker makes direct HTTP requests to the vulnerable endpoint; no user action or social engineering is required.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions or special environmental factors need to be in place.

Blast Radius

  • Reads HTTP responses from internal services (configuration endpoints, metadata APIs, internal dashboards) and stores them in the publicly accessible media pool where any unauthenticated visitor can retrieve them.
  • Maps the internal network by probing arbitrary host-and-port combinations and inferring service availability from HTTP response codes and bodies.
  • Fingerprints internal services (version strings, software identities) to support follow-on attacks against those systems.
  • Confidentiality of internal infrastructure is fully compromised; the CVSS vector records no integrity or availability impact, so the attacker cannot directly modify data or cause outages through this bug alone.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored on every ingest cycle because no upstream fix has been published yet. In the meantime, customers can reduce exposure through compensating controls: applying a network policy that restricts outbound HTTP connections from the Garlic-Hub container to only known, approved destinations; placing the instance behind an egress filter that blocks requests to RFC-1918 address ranges and cloud metadata endpoints (such as 169.254.169.254); and, where feasible, disabling the uploadFromUrl feature via configuration or feature-flag gating until a patch is available. The moment garlic-signage publishes a patched release, HarborGuard will make a rebuilt image available. For customers with auto-remediation enabled, the platform will automatically trigger a rebuild at the fixed version, run the regression suite, and open a PR against affected workloads.

See how HarborGuard automates this
Affected packages
  • garlic-signage / garlic-hub
    < 1.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
References