CVE-2026-50872: An issue in the loopback request handling component of fossar selfoss v2
An issue in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT allows attackers to execute arbitrary commands and obtain sensitive information via supplying a crafted HTTP request.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a remote command execution vulnerability in the loopback request handling component of fossar selfoss v2.20-SNAPSHOT. It is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable from the internet. Successful exploitation allows an attacker to execute arbitrary commands on the server and access sensitive information. HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle fossar selfoss v2.20-SNAPSHOT. Coverage applies to images in connected registries and in active CI/CD pipelines.
AvailableTriage is available using the CVSS v3.1 score of 9.8 (Critical), weighted against each customer organization's compliance policy to determine priority and routing. Findings are routed to the appropriate inbox inside each customer org based on configured team ownership and severity thresholds.
AvailableNo fix version has been published upstream, so HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix appears. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable component is exposed over the network; an attacker must be able to send HTTP requests to the service to trigger the flaw.
- AuthenticationNot required
No credentials or session token are needed; the vulnerability is exploitable by any unauthenticated party with network access.
- Victim interactionNot required
No user action is needed; the attacker sends a crafted HTTP request directly to the service without any victim involvement.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.
Blast Radius
- Attacker executes arbitrary operating system commands on the server hosting selfoss, gaining full control over the running process.
- Attacker reads sensitive information stored by the application, including configuration files, credentials, and aggregated feed data.
- Attacker modifies or deletes application data and server files, corrupting stored content and persisted state.
- Attacker can deny service to the application by terminating processes or exhausting system resources through injected commands.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged as Critical (CVSS 9.8) and is matched against customer images on every scan cycle. Because no upstream fix exists yet, HarborGuard monitors the advisory continuously and will trigger a patched-image rebuild automatically the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation to restrict inbound HTTP access to the selfoss service to trusted sources only, egress filtering to limit outbound connections from the container, and disabling or gating the loopback request handling feature via application configuration if the deployment does not require it.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H