CVE-2026-25123 is a Server-Side Request Forgery (SSRF) vulnerability identified in the open-source dashboard software Homarr, specifically in versions prior to 1.52.0. The vulnerability resides in the unauthenticated tRPC endpoint widget.app.ping, which accepts an arbitrary URL parameter and performs an HTTP request from the server to that URL. Because this endpoint does not require authentication, any remote attacker can exploit it to make the Homarr server send outbound HTTP requests to arbitrary destinations. This SSRF capability allows attackers to probe internal or external network resources that are otherwise inaccessible, effectively enabling reconnaissance activities such as port scanning by analyzing response status codes and request timing. The vulnerability impacts confidentiality by potentially revealing internal network topology and services but does not directly compromise data integrity or availability. The CVSS 3.1 base score is 5.3, reflecting medium severity due to ease of exploitation (no authentication or user interaction required) but limited impact scope. No known exploits are reported in the wild as of the publication date. The vulnerability is resolved in Homarr version 1.52.0 by presumably restricting or validating the URLs accepted by the widget.app.ping endpoint or disabling unauthenticated access. Organizations running vulnerable versions of Homarr should prioritize upgrading to mitigate the risk. Given Homarr's role as a dashboard, attackers leveraging this SSRF could gain valuable network reconnaissance information, potentially facilitating further targeted attacks.

For European organizations, this SSRF vulnerability poses a moderate risk primarily related to confidentiality breaches. Attackers can leverage the vulnerability to perform internal network reconnaissance, identifying open ports and services that are not exposed externally. This can lead to the discovery of sensitive internal infrastructure, increasing the risk of subsequent targeted attacks such as lateral movement, exploitation of internal services, or data exfiltration. While the vulnerability does not directly impact data integrity or system availability, the information gained can be a critical enabler for more damaging attacks. Organizations using Homarr dashboards in critical sectors such as finance, government, healthcare, or industrial control systems could be particularly at risk if internal network details are exposed. The unauthenticated nature of the exploit increases the threat as attackers do not need valid credentials or user interaction. However, the medium CVSS score reflects that the vulnerability alone does not allow direct compromise beyond information gathering. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for prompt remediation.

1. Upgrade Homarr to version 1.52.0 or later immediately to apply the official fix for CVE-2026-25123. 2. If upgrading is not immediately possible, implement network-level controls to restrict outbound HTTP requests from the Homarr server, limiting its ability to reach internal or sensitive network resources. 3. Employ strict input validation and filtering on any exposed endpoints that accept URLs or network addresses to prevent SSRF attempts. 4. Monitor server logs for unusual outbound request patterns originating from the Homarr server, which may indicate exploitation attempts. 5. Use network segmentation to isolate the Homarr server from critical internal systems, reducing the impact of any SSRF-based reconnaissance. 6. Implement Web Application Firewalls (WAFs) with rules to detect and block SSRF attack patterns targeting the widget.app.ping endpoint. 7. Conduct regular security assessments and penetration tests focusing on SSRF and related vulnerabilities in internal dashboards or management tools. 8. Educate development and operations teams about SSRF risks and secure coding practices to prevent similar vulnerabilities in future.