How is CVE-2026-50131 exploited?

Network reachability (required): The vulnerable fetch logic is reachable over the network, so the attacker must be able to send HTTP requests to the Fedify-powered service from a remote origin. Authentication (not-required): No account or credential is needed; the SSRF can be triggered through unauthenticated ActivityPub document or media fetch paths. Victim interaction (not-required): No user action is required; the attacker triggers the outbound fetch directly by supplying a crafted URL to the affected endpoint. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental setup beyond supplying a URL in one of the unblocked special-use IPv4 ranges.

What is the impact of CVE-2026-50131?

An attacker reads responses from internal services bound to special-use IPv4 ranges (such as carrier-grade NAT, multicast, or benchmarking subnets) that the incomplete blocklist fails to reject, potentially exposing configuration data, tokens, or other sensitive content. An attacker issues requests that modify state on internal HTTP services reachable through those ranges, for example triggering administrative endpoints or writing data to unauthenticated internal APIs. An attacker causes repeated outbound connections to unresponsive or slow internal addresses, increasing latency and consuming connection-pool resources on the Fedify host, degrading service responsiveness.

Back to search

HIGHCVE-2026-50131Published 2026-06-10Modified 2026-06-11CNA GitHub_M

CVE-2026-50131: Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting in version 0.11.2 and prior to versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 appears incomplete. The `validatePublicUrl()` protection relies on `isValidPublicIPv4Address()` to reject non-public IPv4 destinations. The function blocks common private and local ranges such as `10.0.0.0/8`, `127.0.0.0/8`, `169.254.0.0/16`, `172.16.0.0/12`, and `192.168.0.0/16`, but it still treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations. Because this validation is used as an SSRF defense before outbound fetches, this appears to be an incomplete mitigation or bypass class for the previous SSRF issue. Versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 contain an updated patch.

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

An incomplete server-side request forgery (SSRF) mitigation exists in Fedify, a TypeScript library for building ActivityPub-based federated server applications. The `validatePublicUrl()` function, added to block outbound requests to internal addresses, fails to reject several special-use IPv4 ranges including multicast, benchmarking, carrier-grade NAT, and other reserved blocks, leaving those ranges reachable via crafted ActivityPub fetch requests over the network without any authentication. Successful exploitation allows an attacker to read data from internal services on those overlooked ranges, tamper with limited request targets, and degrade availability of backend services. HarborGuard is tracking this advisory for patch availability as no fixed version has been published yet.

HarborGuard Coverage

Detection

Detection of CVE-2026-50131 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (GitHub Advisory Database, OSV, and others) within minutes of publication and matched against customer images, including custom-built images that bundle Fedify or vocab-runtime as a dependency. Matching covers both direct and transitive package inclusions in scanned container layers.

Available

Triage

Triage is available with the CVE scored at CVSS 8.6 HIGH (vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), surfaced alongside per-environment compliance policy weighting so teams can calibrate urgency against their own risk thresholds. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix versions have been published for CVE-2026-50131 yet, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment upstream releases a corrected version. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the fix lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable fetch logic is reachable over the network, so the attacker must be able to send HTTP requests to the Fedify-powered service from a remote origin.
AuthenticationNot required
No account or credential is needed; the SSRF can be triggered through unauthenticated ActivityPub document or media fetch paths.
Victim interactionNot required
No user action is required; the attacker triggers the outbound fetch directly by supplying a crafted URL to the affected endpoint.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental setup beyond supplying a URL in one of the unblocked special-use IPv4 ranges.

Blast Radius

An attacker reads responses from internal services bound to special-use IPv4 ranges (such as carrier-grade NAT, multicast, or benchmarking subnets) that the incomplete blocklist fails to reject, potentially exposing configuration data, tokens, or other sensitive content.
An attacker issues requests that modify state on internal HTTP services reachable through those ranges, for example triggering administrative endpoints or writing data to unauthenticated internal APIs.
An attacker causes repeated outbound connections to unresponsive or slow internal addresses, increasing latency and consuming connection-pool resources on the Fedify host, degrading service responsiveness.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-50131 is actively tracked with no upstream fix published as of the CVE publication date (2026-06-10). HarborGuard re-evaluates the advisory on every ingest cycle; the moment upstream Fedify or vocab-runtime ships a corrected release, a patched-image rebuild becomes available and, for customers with auto-remediation enabled, triggers a rebuild plus regression run and a PR opened against affected workloads automatically. While awaiting a patch, compensating controls to consider include applying network egress policies on container workloads to restrict outbound HTTP to known-good destination ranges, using an egress proxy that enforces a stricter IP allowlist, and isolating Fedify-powered services from internal subnets that fall in carrier-grade NAT (100.64.0.0/10), multicast (224.0.0.0/4), benchmarking (198.18.0.0/15), and other IANA special-use blocks. Customers whose compliance policy requires human approval before remediation changes will see the rebuild queued and held for review once a fix version is available.

See how HarborGuard automates this

Affected packages

fedify-dev / fedify
>= 0.11.2, < 1.9.12 · >= 1.10.0, < 1.10.11 · >= 2.0.0, < 2.0.19 · >= 2.1.0, < 2.1.15 · >= 2.2.0, < 2.2.4
fedify-dev / vocab-runtime
< 2.0.19 · >= 2.1.0, < 2.1.15 · >= 2.2.0, < 2.2.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

References

https://github.com/fedify-dev/fedify/security/advisories/GHSA-xw9q-2mv6-9fr8

Metrics

Get notified