How is CVE-2026-50887 exploited?

Network reachability (required): The vulnerable component is exposed over the network; an attacker must be able to send HTTP requests to the shlink instance to trigger the SSRF. Authentication (not-required): No account or credentials are needed; the crafted long URL can be submitted by any unauthenticated caller. Victim interaction (not-required): The attacker does not need any user to take an action; submitting the crafted URL directly triggers the server-side request. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

What is the impact of CVE-2026-50887?

The shlink server issues HTTP requests to attacker-chosen internal addresses, letting the attacker map out services on the internal network that are not publicly reachable. Responses from internal services are returned to the attacker, exposing configuration endpoints, internal APIs, metadata services (such as cloud instance metadata), and any credentials or tokens those endpoints serve. Because CVSS Integrity is rated High, the attacker can use the SSRF to send state-changing requests to internal services, modifying persisted data or triggering administrative actions on those services. Cloud-hosted deployments are at heightened risk of credential harvesting via instance metadata endpoints (for example, AWS IMDSv1), which can lead to lateral movement beyond the container.

Back to search

CRITICALCVE-2026-50887Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-50887: A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5

A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A Server-Side Request Forgery (SSRF) vulnerability exists in the automatic short URL title resolution component of shlink v5.0.1. The flaw is reachable over the network without any authentication, allowing an attacker to supply a crafted long URL that causes the shlink server to issue HTTP requests to arbitrary internal destinations. Successful exploitation lets the attacker read responses from internal services and modify data accessible through those internal endpoints. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-50887 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle shlink v5.0.1. Coverage applies to both registry scans and in-pipeline image checks at build time.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.1 (Critical) and weighting that score against each customer environment's compliance policy to determine urgency and routing. Triage tickets can be directed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released by the shlink project. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network; an attacker must be able to send HTTP requests to the shlink instance to trigger the SSRF.
AuthenticationNot required
No account or credentials are needed; the crafted long URL can be submitted by any unauthenticated caller.
Victim interactionNot required
The attacker does not need any user to take an action; submitting the crafted URL directly triggers the server-side request.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

Blast Radius

The shlink server issues HTTP requests to attacker-chosen internal addresses, letting the attacker map out services on the internal network that are not publicly reachable.
Responses from internal services are returned to the attacker, exposing configuration endpoints, internal APIs, metadata services (such as cloud instance metadata), and any credentials or tokens those endpoints serve.
Because CVSS Integrity is rated High, the attacker can use the SSRF to send state-changing requests to internal services, modifying persisted data or triggering administrative actions on those services.
Cloud-hosted deployments are at heightened risk of credential harvesting via instance metadata endpoints (for example, AWS IMDSv1), which can lead to lateral movement beyond the container.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-50887 is currently unpatched upstream, so the primary capability is continuous monitoring of the advisory and compensating-control guidance for affected environments. HarborGuard re-checks the shlink advisory on every ingest cycle and will make a patched-image rebuild available, with auto-remediation customers receiving a rebuild plus regression run plus an automated PR, as soon as the upstream project publishes a fix. In the interim, customers can reduce exposure by applying network policies that restrict outbound HTTP from shlink containers to known-good destinations only, enabling egress filtering at the pod or container level to block requests to RFC-1918 address ranges and link-local ranges such as 169.254.0.0/16, and where possible disabling the automatic short URL title resolution feature via shlink configuration until a patch is available. For customers with auto-remediation enabled, the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes once an upstream fix exists.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

gist.github.com

Metrics

Get notified