{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/yeswiki--4.6.2--4.6.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["YesWiki (\u003e= 4.6.2, \u003c 4.6.6)"],"_cs_severities":["high"],"_cs_tags":["ssrf","web-vulnerability","php","yeswiki","unauthenticated","cve"],"_cs_type":"advisory","_cs_vendors":["YesWiki"],"content_html":"\u003cp\u003eA critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-52769, has been discovered in YesWiki versions \u003ccode\u003e\u0026gt;= 4.6.2\u003c/code\u003e and \u003ccode\u003e\u0026lt; 4.6.6\u003c/code\u003e. The vulnerability resides in the \u003ccode\u003eHttpSignatureService::verifySignature()\u003c/code\u003e method within \u003ccode\u003etools/bazar/services/HttpSignatureService.php\u003c/code\u003e, which is called by the publicly exposed \u003ccode\u003ePOST /api/forms/{formId}/actor/inbox\u003c/code\u003e route. When ActivityPub is enabled on at least one Bazar form, an unauthenticated attacker can send a specially crafted HTTP POST request. This request contains a \u003ccode\u003eSignature\u003c/code\u003e header with a malicious URL in its \u003ccode\u003ekeyId\u003c/code\u003e parameter. The server immediately makes an HTTP GET request to this attacker-controlled URL without prior validation or cryptographic verification. This allows the attacker to force the YesWiki server to interact with internal services, cloud metadata endpoints like \u003ccode\u003e169.254.169.254\u003c/code\u003e, or other intranet-only resources, potentially leading to information disclosure, network scanning, and service enumeration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends an HTTP POST request to the publicly exposed \u003ccode\u003e/?api/forms/{formId}/actor/inbox\u003c/code\u003e endpoint on a vulnerable YesWiki server.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a crafted \u003ccode\u003eSignature\u003c/code\u003e HTTP header, where the \u003ccode\u003ekeyId\u003c/code\u003e parameter contains an attacker-controlled URL (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u0026lt;role\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eYesWiki's Symfony controller routes the request to the \u003ccode\u003epostFormActorInbox()\u003c/code\u003e method in \u003ccode\u003etools/bazar/controllers/ApiController.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf ActivityPub is enabled for the specified form, \u003ccode\u003epostFormActorInbox()\u003c/code\u003e calls \u003ccode\u003eHttpSignatureService::verifySignature()\u003c/code\u003e from \u003ccode\u003etools/bazar/services/HttpSignatureService.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003everifySignature()\u003c/code\u003e, the \u003ccode\u003eSignature\u003c/code\u003e header is parsed, and without any prior validation or cryptographic checks, an outbound HTTP GET request is immediately initiated to the URL extracted from the \u003ccode\u003ekeyId\u003c/code\u003e parameter using \u003ccode\u003ehttpClient-\u0026gt;request()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe YesWiki server attempts to connect to the attacker-specified internal or external host (e.g., cloud metadata service, intranet web server) and fetches its response.\u003c/li\u003e\n\u003cli\u003eIf the fetched content does not contain \u003ccode\u003epublicKey.publicKeyPem\u003c/code\u003e (which is expected for non-ActivityPub targets), the controller returns an HTTP 500 error.\u003c/li\u003e\n\u003cli\u003eThe attacker receives verbose error messages including a stack trace in the JSON response body, which can reveal the attempted URL and provide sufficient information via timing or error content to perform port scanning, service enumeration, or exfiltrate cloud metadata.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-52769 grants an unauthenticated attacker the ability to perform Server-Side Request Forgery, enabling them to initiate arbitrary HTTP GET requests from the vulnerable YesWiki server. This allows for reconnaissance of internal networks, including port scanning and service enumeration, by observing timing differences or explicit error messages that reveal details about unreachable or unparseable responses. Critically, attackers can target cloud metadata endpoints (e.g., \u003ccode\u003e169.254.169.254\u003c/code\u003e) to steal sensitive IAM credentials or other instance-specific data. While no specific victim counts are available, any YesWiki instance with ActivityPub enabled and running an affected version is at risk of unauthorized access to its network environment and potential data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-52769 by upgrading YesWiki to version 4.6.6 or later immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect attempts to access the vulnerable API endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003ewebserver\u003c/code\u003e logs for HTTP POST requests to \u003ccode\u003e/api/forms/*/actor/inbox\u003c/code\u003e containing suspicious \u003ccode\u003eSignature\u003c/code\u003e headers, especially those with internal or cloud metadata IP addresses in the \u003ccode\u003ekeyId\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T21:02:14Z","date_published":"2026-07-09T21:02:14Z","id":"https://feed.craftedsignal.io/briefs/2026-07-ghsa-vw42-752g-5mrp/","summary":"An unauthenticated Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2026-52769, exists in YesWiki's `POST /api/forms/{formId}/actor/inbox` route when ActivityPub is enabled, allowing attackers to force arbitrary outbound HTTP GET requests to internal or external hosts and potentially exfiltrate sensitive information via timing and error messages.","title":"YesWiki Unauthenticated SSRF via ActivityPub Signature.keyId (CVE-2026-52769)","url":"https://feed.craftedsignal.io/briefs/2026-07-ghsa-vw42-752g-5mrp/"}],"language":"en","title":"CraftedSignal Threat Feed - YesWiki (\u003e= 4.6.2, \u003c 4.6.6)","version":"https://jsonfeed.org/version/1.1"}