{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/stoatchat/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-63306"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["stoatchat"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","web-application","unauthenticated","information-disclosure"],"_cs_type":"advisory","_cs_vendors":["stoatchat"],"content_html":"\u003cp\u003eCVE-2026-63306 details an unauthenticated server-side request forgery (SSRF) vulnerability affecting stoatchat versions before 0.13.5. The flaw resides within the \u003ccode\u003e/proxy\u003c/code\u003e and \u003ccode\u003e/embed\u003c/code\u003e endpoints, which are designed to accept arbitrary URLs. However, these endpoints lack crucial security controls, specifically DNS resolution filtering and private IP range validation. This absence of validation allows any unauthenticated attacker to supply specially crafted malicious URLs. By exploiting this, attackers can force the stoatchat server to make requests to internal network resources, thereby facilitating the enumeration of internal services, fingerprinting of applications, and direct access to sensitive instance metadata endpoints. This vulnerability poses a significant risk for information disclosure and could serve as an initial stepping stone for more advanced network compromises, impacting organizations using vulnerable stoatchat deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a public-facing stoatchat instance running a version prior to 0.13.5.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers the vulnerable \u003ccode\u003e/proxy\u003c/code\u003e or \u003ccode\u003e/embed\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET or POST request to one of these endpoints, embedding an internal target URL (e.g., \u003ccode\u003ehttp://127.0.0.1/admin\u003c/code\u003e or \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e) as a parameter.\u003c/li\u003e\n\u003cli\u003eThe stoatchat application processes the request, failing to validate the provided URL against internal or private IP ranges.\u003c/li\u003e\n\u003cli\u003eThe stoatchat server, acting on the attacker's behalf, initiates an outbound request to the specified internal network resource.\u003c/li\u003e\n\u003cli\u003eThe internal resource responds to the stoatchat server, which then relays the response content back to the attacker via the original \u003ccode\u003e/proxy\u003c/code\u003e or \u003ccode\u003e/embed\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the received response to enumerate accessible internal services, identify application banners, or extract cloud instance metadata.\u003c/li\u003e\n\u003cli\u003eThe gathered information is then used to plan further attacks, potentially leading to deeper network penetration or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-63306 can lead to severe information disclosure within an organization's network. Attackers can remotely enumerate sensitive internal services and their configurations, gain insights into the network topology, and fingerprint internal applications. Critically, the vulnerability allows access to cloud instance metadata endpoints, which often contain highly sensitive credentials, API keys, and configuration data, enabling subsequent privilege escalation or unauthorized access to other cloud resources. While no specific victim count or sectors are detailed, any organization utilizing vulnerable stoatchat versions is at risk of unauthorized access to their internal network infrastructure and sensitive data, potentially leading to significant operational disruption and data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade all stoatchat instances to version 0.13.5 or newer to remediate CVE-2026-63306.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect attempted exploitation of the \u003ccode\u003e/proxy\u003c/code\u003e and \u003ccode\u003e/embed\u003c/code\u003e SSRF vulnerability in your webserver logs.\u003c/li\u003e\n\u003cli\u003eImplement strong network segmentation to limit internal service exposure and reduce the blast radius of successful SSRF attacks.\u003c/li\u003e\n\u003cli\u003eEnsure web application firewalls (WAFs) are configured to detect and block requests attempting to access internal IP addresses or specific metadata endpoints via public-facing application paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T13:22:57Z","date_published":"2026-07-16T13:22:57Z","id":"https://feed.craftedsignal.io/briefs/2026-07-stoatchat-unauthenticated-ssrf/","summary":"An unauthenticated server-side request forgery vulnerability, tracked as CVE-2026-63306, exists in stoatchat versions prior to 0.13.5 in the /proxy and /embed endpoints, allowing attackers to enumerate internal services, fingerprint applications, and access instance metadata endpoints, leading to unauthorized information disclosure and potential further compromise of internal infrastructure.","title":"Unauthenticated Server-Side Request Forgery (SSRF) Vulnerability in stoatchat CVE-2026-63306","url":"https://feed.craftedsignal.io/briefs/2026-07-stoatchat-unauthenticated-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Stoatchat","version":"https://jsonfeed.org/version/1.1"}