<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>YesWiki (&gt;= 4.6.2, &lt; 4.6.6) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/yeswiki--4.6.2--4.6.6/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 21:02:14 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/yeswiki--4.6.2--4.6.6/feed.xml" rel="self" type="application/rss+xml"/><item><title>YesWiki Unauthenticated SSRF via ActivityPub Signature.keyId (CVE-2026-52769)</title><link>https://feed.craftedsignal.io/briefs/2026-07-ghsa-vw42-752g-5mrp/</link><pubDate>Thu, 09 Jul 2026 21:02:14 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-ghsa-vw42-752g-5mrp/</guid><description>An unauthenticated Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2026-52769, exists in YesWiki's `POST /api/forms/{formId}/actor/inbox` route when ActivityPub is enabled, allowing attackers to force arbitrary outbound HTTP GET requests to internal or external hosts and potentially exfiltrate sensitive information via timing and error messages.</description><content:encoded><![CDATA[<p>A critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-52769, has been discovered in YesWiki versions <code>&gt;= 4.6.2</code> and <code>&lt; 4.6.6</code>. The vulnerability resides in the <code>HttpSignatureService::verifySignature()</code> method within <code>tools/bazar/services/HttpSignatureService.php</code>, which is called by the publicly exposed <code>POST /api/forms/{formId}/actor/inbox</code> route. When ActivityPub is enabled on at least one Bazar form, an unauthenticated attacker can send a specially crafted HTTP POST request. This request contains a <code>Signature</code> header with a malicious URL in its <code>keyId</code> parameter. The server immediately makes an HTTP GET request to this attacker-controlled URL without prior validation or cryptographic verification. This allows the attacker to force the YesWiki server to interact with internal services, cloud metadata endpoints like <code>169.254.169.254</code>, or other intranet-only resources, potentially leading to information disclosure, network scanning, and service enumeration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker sends an HTTP POST request to the publicly exposed <code>/?api/forms/{formId}/actor/inbox</code> endpoint on a vulnerable YesWiki server.</li>
<li>The POST request includes a crafted <code>Signature</code> HTTP header, where the <code>keyId</code> parameter contains an attacker-controlled URL (e.g., <code>http://169.254.169.254/latest/meta-data/iam/security-credentials/&lt;role&gt;</code>).</li>
<li>YesWiki's Symfony controller routes the request to the <code>postFormActorInbox()</code> method in <code>tools/bazar/controllers/ApiController.php</code>.</li>
<li>If ActivityPub is enabled for the specified form, <code>postFormActorInbox()</code> calls <code>HttpSignatureService::verifySignature()</code> from <code>tools/bazar/services/HttpSignatureService.php</code>.</li>
<li>Inside <code>verifySignature()</code>, the <code>Signature</code> header is parsed, and without any prior validation or cryptographic checks, an outbound HTTP GET request is immediately initiated to the URL extracted from the <code>keyId</code> parameter using <code>httpClient-&gt;request()</code>.</li>
<li>The YesWiki server attempts to connect to the attacker-specified internal or external host (e.g., cloud metadata service, intranet web server) and fetches its response.</li>
<li>If the fetched content does not contain <code>publicKey.publicKeyPem</code> (which is expected for non-ActivityPub targets), the controller returns an HTTP 500 error.</li>
<li>The attacker receives verbose error messages including a stack trace in the JSON response body, which can reveal the attempted URL and provide sufficient information via timing or error content to perform port scanning, service enumeration, or exfiltrate cloud metadata.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-52769 grants an unauthenticated attacker the ability to perform Server-Side Request Forgery, enabling them to initiate arbitrary HTTP GET requests from the vulnerable YesWiki server. This allows for reconnaissance of internal networks, including port scanning and service enumeration, by observing timing differences or explicit error messages that reveal details about unreachable or unparseable responses. Critically, attackers can target cloud metadata endpoints (e.g., <code>169.254.169.254</code>) to steal sensitive IAM credentials or other instance-specific data. While no specific victim counts are available, any YesWiki instance with ActivityPub enabled and running an affected version is at risk of unauthorized access to its network environment and potential data exfiltration.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-52769 by upgrading YesWiki to version 4.6.6 or later immediately.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM to detect attempts to access the vulnerable API endpoint.</li>
<li>Monitor <code>webserver</code> logs for HTTP POST requests to <code>/api/forms/*/actor/inbox</code> containing suspicious <code>Signature</code> headers, especially those with internal or cloud metadata IP addresses in the <code>keyId</code> parameter.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ssrf</category><category>web-vulnerability</category><category>php</category><category>yeswiki</category><category>unauthenticated</category><category>cve</category></item></channel></rss>