How is CVE-2026-50886 exploited?

Network reachability (required): The vulnerable webhook endpoint is exposed over the network, so the attacker must be able to reach the Firefly III service via HTTP/HTTPS. Authentication (not-required): The CVSS vector specifies PR:N, meaning no account or credential of any kind is needed to send the malicious POST request. Victim interaction (not-required): The CVSS vector specifies UI:N, meaning the attacker can trigger the vulnerability entirely on their own without any action from a user or administrator. Attack complexity (info): AC:L indicates the exploit is reliable and condition-free, requiring no race conditions, specific memory layouts, or environmental prerequisites.

What is the impact of CVE-2026-50886?

Attacker causes the Firefly III server to issue outbound HTTP requests to internal IP addresses and hostnames, effectively using it as a proxy to scan the internal network. Internal services such as metadata endpoints, databases, or cluster management APIs that are not exposed externally can be reached and fingerprinted through the vulnerable host. Response data or timing differences from internal hosts may be observable to the attacker, leaking information about topology, running services, and software versions. CVSS C:H and I:H ratings indicate full compromise of confidentiality and integrity of data the server can reach internally, though availability of the affected service itself is not directly impacted (A:N).

Back to search

CRITICALCVE-2026-50886Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-50886: Incorrect access control in the webhook management component of Project Firefly III v6

Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Incorrect access control in the webhook management component of Firefly III v6.5.9 allows a remote, unauthenticated attacker to send a crafted POST request that causes the server to make outbound HTTP calls to attacker-specified internal addresses. This is a server-side request forgery (SSRF) class of bug, reachable over the network with no credentials required and no victim interaction needed. Successful exploitation lets an attacker map and probe internal network resources and services that would otherwise be unreachable from the outside. HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images derived from Firefly III base layers.

Available

Triage

HarborGuard scores this finding at CVSS 9.1 Critical and is capable of weighting that score against each environment's compliance policy to determine escalation urgency; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a remediated release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as that patched base is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable webhook endpoint is exposed over the network, so the attacker must be able to reach the Firefly III service via HTTP/HTTPS.
AuthenticationNot required
The CVSS vector specifies PR:N, meaning no account or credential of any kind is needed to send the malicious POST request.
Victim interactionNot required
The CVSS vector specifies UI:N, meaning the attacker can trigger the vulnerability entirely on their own without any action from a user or administrator.
Attack complexityDetail
AC:L indicates the exploit is reliable and condition-free, requiring no race conditions, specific memory layouts, or environmental prerequisites.

Blast Radius

Attacker causes the Firefly III server to issue outbound HTTP requests to internal IP addresses and hostnames, effectively using it as a proxy to scan the internal network.
Internal services such as metadata endpoints, databases, or cluster management APIs that are not exposed externally can be reached and fingerprinted through the vulnerable host.
Response data or timing differences from internal hosts may be observable to the attacker, leaking information about topology, running services, and software versions.
CVSS C:H and I:H ratings indicate full compromise of confidentiality and integrity of data the server can reach internally, though availability of the affected service itself is not directly impacted (A:N).

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for CVE-2026-50886 as of publication, the recommended immediate actions are network-policy isolation (restricting outbound HTTP from the Firefly III container to only explicitly allowed destinations), egress filtering at the cluster or host level to block requests to RFC-1918 address ranges and cloud metadata endpoints (such as 169.254.169.254), and disabling the webhook management feature via application configuration if the feature is not in active use. HarborGuard monitors the upstream Firefly III advisory on every ingest cycle; when a patched release is published, a rebuilt image at the fix version becomes available automatically, and customers with auto-remediation enabled will receive a regression-tested rebuild and a PR opened against affected workloads without manual intervention.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

gist.github.com

Metrics

Get notified