YesWiki Unauthenticated SSRF via ActivityPub Signature.keyId (CVE-2026-52769)
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2026-52769, exists in YesWiki's `POST /api/forms/{formId}/actor/inbox` route when ActivityPub is enabled, allowing attackers to force arbitrary outbound HTTP GET requests to internal or external hosts and potentially exfiltrate sensitive information via timing and error messages.
A critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-52769, has been discovered in YesWiki versions >= 4.6.2 and < 4.6.6. The vulnerability resides in the HttpSignatureService::verifySignature() method within tools/bazar/services/HttpSignatureService.php, which is called by the publicly exposed POST /api/forms/{formId}/actor/inbox route. When ActivityPub is enabled on at least one Bazar form, an unauthenticated attacker can send a specially crafted HTTP POST request. This request contains a Signature header with a malicious URL in its keyId parameter. The server immediately makes an HTTP GET request to this attacker-controlled URL without prior validation or cryptographic verification. This allows the attacker to force the YesWiki server to interact with internal services, cloud metadata endpoints like 169.254.169.254, or other intranet-only resources, potentially leading to information disclosure, network scanning, and service enumeration.
Attack Chain
- An unauthenticated attacker sends an HTTP POST request to the publicly exposed
/?api/forms/{formId}/actor/inboxendpoint on a vulnerable YesWiki server. - The POST request includes a crafted
SignatureHTTP header, where thekeyIdparameter contains an attacker-controlled URL (e.g.,http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>). - YesWiki's Symfony controller routes the request to the
postFormActorInbox()method intools/bazar/controllers/ApiController.php. - If ActivityPub is enabled for the specified form,
postFormActorInbox()callsHttpSignatureService::verifySignature()fromtools/bazar/services/HttpSignatureService.php. - Inside
verifySignature(), theSignatureheader is parsed, and without any prior validation or cryptographic checks, an outbound HTTP GET request is immediately initiated to the URL extracted from thekeyIdparameter usinghttpClient->request(). - The YesWiki server attempts to connect to the attacker-specified internal or external host (e.g., cloud metadata service, intranet web server) and fetches its response.
- If the fetched content does not contain
publicKey.publicKeyPem(which is expected for non-ActivityPub targets), the controller returns an HTTP 500 error. - The attacker receives verbose error messages including a stack trace in the JSON response body, which can reveal the attempted URL and provide sufficient information via timing or error content to perform port scanning, service enumeration, or exfiltrate cloud metadata.
Impact
The successful exploitation of CVE-2026-52769 grants an unauthenticated attacker the ability to perform Server-Side Request Forgery, enabling them to initiate arbitrary HTTP GET requests from the vulnerable YesWiki server. This allows for reconnaissance of internal networks, including port scanning and service enumeration, by observing timing differences or explicit error messages that reveal details about unreachable or unparseable responses. Critically, attackers can target cloud metadata endpoints (e.g., 169.254.169.254) to steal sensitive IAM credentials or other instance-specific data. While no specific victim counts are available, any YesWiki instance with ActivityPub enabled and running an affected version is at risk of unauthorized access to its network environment and potential data exfiltration.
Recommendation
- Patch CVE-2026-52769 by upgrading YesWiki to version 4.6.6 or later immediately.
- Deploy the Sigma rule provided in this brief to your SIEM to detect attempts to access the vulnerable API endpoint.
- Monitor
webserverlogs for HTTP POST requests to/api/forms/*/actor/inboxcontaining suspiciousSignatureheaders, especially those with internal or cloud metadata IP addresses in thekeyIdparameter.
Detection coverage 1
Detects CVE-2026-52769 Exploitation - YesWiki SSRF via API Actor Inbox
highDetects CVE-2026-52769 exploitation by identifying unauthenticated POST requests to the vulnerable YesWiki ActivityPub inbox endpoint. This rule flags attempts to trigger the SSRF by targeting the `/api/forms/{formId}/actor/inbox` route, which is the initial trigger point for the vulnerability.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
ip
| Type | Value |
|---|---|
| ip | 169.254.169.254 |