HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47684Published Modified CNA GitHub_M

CVE-2026-47684: Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF protection to be bypassed on dual-stack systems. Version 2.3.0 fixes the issue.

Metrics

CVSS v3.1
7.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A server-side request forgery (SSRF) protection bypass affects Sync-in Server versions before 2.3.0. The URL download feature uses a regular expression to block requests to private IP ranges, but the regex fails to match IPv4-mapped IPv6 addresses (for example, ::ffff:127.0.0.1), so an attacker with a low-privilege account can craft a URL using this address format to make the server issue requests to internal network resources on dual-stack systems. Successful exploitation exposes internal service responses to the attacker, enabling unauthorized reads of data that should not be reachable from the outside. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-47684 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from Sync-in Server base layers. Any image running a Sync-in Server version below 2.3.0 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.7 HIGH and surfaces it accordingly in each customer's finding queue, weighted against that environment's compliance policy. Triage routing directs the finding to the team or inbox configured for high-severity network-reachable issues within each organization.

Available
Patch

No fix version has been published upstream for this CVE at this time. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a resolved release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Sync-in Server URL download endpoint over the network; the service must be internet- or intranet-accessible for exploitation to succeed.

  • AuthenticationRequired

    A low-privilege account is sufficient; the attacker must hold valid credentials for any standard user role on the Sync-in Server instance.

  • Victim interactionNot required

    No user action or social engineering is needed; the attacker submits a crafted URL directly to the download endpoint without involving another user.

  • Attack complexityDetail

    Exploit complexity is low: no race conditions or special environmental factors are required, and the bypass works reliably on any dual-stack system running the affected regex logic.

Blast Radius

  • Reads responses from internal HTTP services that should be blocked by SSRF protections, such as metadata endpoints, internal APIs, or admin panels reachable only from the host.
  • Extracts sensitive data returned by those internal services, including credentials, tokens, or configuration details exposed on loopback or RFC-1918 addresses.
  • Scope extends beyond the Sync-in Server process itself to other services on the same host or internal network segment, as indicated by the changed-scope (S:C) rating in the CVSS vector.

How HarborGuard Handles This

Available on HarborGuard: detection for this SSRF bypass is active for all environments running Sync-in Server images below 2.3.0, with findings surfaced at HIGH severity. Because no upstream fix version has been published, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once the maintainer releases a resolved version. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual steps. In the interim, compensating controls worth considering include network-policy rules that restrict outbound connections from the Sync-in Server pod to known-safe destinations, egress filtering to block requests to RFC-1918 and loopback ranges at the network layer (covering both IPv4 and IPv6 mapped forms), and disabling the URL download feature via a feature flag if the application surface allows it. These measures reduce exposure while the upstream fix is pending.

See how HarborGuard automates this
Affected packages
  • Sync-in / server
    < 2.3.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
References