CVE-2026-25123: CWE-918: Server-Side Request Forgery (SSRF) in homarr-labs homarr
CVE-2026-25123 is a Server-Side Request Forgery (SSRF) vulnerability in homarr-labs' open-source dashboard product Homarr, affecting versions prior to 1. 52. 0. An unauthenticated attacker can exploit a public tRPC endpoint (widget. app. ping) that accepts arbitrary URLs and triggers outbound HTTP requests from the server. This allows attackers to perform SSRF attacks, including port scanning internal or protected networks by inferring open or closed ports based on response status and timing. The vulnerability does not require authentication or user interaction and impacts confidentiality by potentially exposing internal network details. The issue was fixed in version 1. 52.
AI Analysis
Technical Summary
CVE-2026-25123 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Homarr open-source dashboard software developed by homarr-labs. The vulnerability exists in versions prior to 1.52.0, specifically in a public, unauthenticated tRPC endpoint named widget.app.ping. This endpoint accepts an arbitrary URL parameter and performs an HTTP request from the Homarr server to that URL. Because the endpoint is unauthenticated and publicly accessible, an attacker can supply arbitrary URLs, causing the server to make outbound requests on their behalf. This SSRF capability enables attackers to probe internal or protected network resources that are otherwise inaccessible externally. By analyzing the HTTP response status codes and request timing, attackers can infer whether specific ports on internal hosts are open or closed, effectively using the vulnerability as a port scanning primitive. This can facilitate further attacks such as lateral movement, exploitation of internal services, or data exfiltration. The vulnerability impacts confidentiality by exposing internal network topology and potentially sensitive services. However, it does not directly affect integrity or availability of the Homarr server or its data. The vulnerability requires no authentication or user interaction, increasing its risk profile. The issue was publicly disclosed and assigned CVE-2026-25123 with a CVSS v3.1 score of 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, and limited impact scope. The vulnerability was fixed in Homarr version 1.52.0 by restricting or sanitizing the URL input or disabling the vulnerable endpoint. No known exploits in the wild have been reported to date. Organizations using Homarr dashboards should upgrade to version 1.52.0 or later to remediate this issue.
Potential Impact
For European organizations, this SSRF vulnerability poses a moderate risk primarily by enabling attackers to conduct reconnaissance on internal networks. Many enterprises and public sector entities use dashboards like Homarr for centralized service monitoring and management, often deployed within internal or cloud environments. Exploitation could allow attackers to map internal services, identify vulnerable hosts, and plan subsequent attacks such as lateral movement or data theft. Confidentiality is impacted as internal network details and potentially sensitive endpoints may be exposed. Although the vulnerability does not directly compromise data integrity or availability, it lowers the overall security posture and increases the attack surface. Organizations in sectors with critical infrastructure, finance, healthcare, and government are particularly at risk if Homarr is used internally. The unauthenticated nature of the vulnerability means attackers can exploit it remotely without credentials, increasing exposure. However, the lack of known active exploitation and medium CVSS score suggest the threat is moderate but should not be ignored. Prompt patching and network segmentation can mitigate potential impacts.
Mitigation Recommendations
1. Upgrade Homarr installations to version 1.52.0 or later immediately to apply the official fix. 2. If upgrading is not immediately possible, restrict network access to the vulnerable tRPC endpoint (widget.app.ping) using firewall rules or reverse proxy configurations to limit exposure to trusted IPs only. 3. Implement strict input validation and sanitization on any endpoints accepting URLs to prevent SSRF. 4. Employ network segmentation and internal firewall rules to limit the Homarr server's ability to make outbound requests to sensitive internal services. 5. Monitor outbound HTTP requests from Homarr servers for unusual or unexpected destinations that may indicate exploitation attempts. 6. Conduct internal vulnerability scans and penetration tests to identify any residual SSRF risks or related misconfigurations. 7. Educate DevOps and security teams about SSRF risks and ensure secure coding practices for future dashboard or API development. 8. Review and harden access controls around internal services that could be targeted via SSRF.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2026-25123: CWE-918: Server-Side Request Forgery (SSRF) in homarr-labs homarr
Description
CVE-2026-25123 is a Server-Side Request Forgery (SSRF) vulnerability in homarr-labs' open-source dashboard product Homarr, affecting versions prior to 1. 52. 0. An unauthenticated attacker can exploit a public tRPC endpoint (widget. app. ping) that accepts arbitrary URLs and triggers outbound HTTP requests from the server. This allows attackers to perform SSRF attacks, including port scanning internal or protected networks by inferring open or closed ports based on response status and timing. The vulnerability does not require authentication or user interaction and impacts confidentiality by potentially exposing internal network details. The issue was fixed in version 1. 52.
AI-Powered Analysis
Technical Analysis
CVE-2026-25123 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Homarr open-source dashboard software developed by homarr-labs. The vulnerability exists in versions prior to 1.52.0, specifically in a public, unauthenticated tRPC endpoint named widget.app.ping. This endpoint accepts an arbitrary URL parameter and performs an HTTP request from the Homarr server to that URL. Because the endpoint is unauthenticated and publicly accessible, an attacker can supply arbitrary URLs, causing the server to make outbound requests on their behalf. This SSRF capability enables attackers to probe internal or protected network resources that are otherwise inaccessible externally. By analyzing the HTTP response status codes and request timing, attackers can infer whether specific ports on internal hosts are open or closed, effectively using the vulnerability as a port scanning primitive. This can facilitate further attacks such as lateral movement, exploitation of internal services, or data exfiltration. The vulnerability impacts confidentiality by exposing internal network topology and potentially sensitive services. However, it does not directly affect integrity or availability of the Homarr server or its data. The vulnerability requires no authentication or user interaction, increasing its risk profile. The issue was publicly disclosed and assigned CVE-2026-25123 with a CVSS v3.1 score of 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, and limited impact scope. The vulnerability was fixed in Homarr version 1.52.0 by restricting or sanitizing the URL input or disabling the vulnerable endpoint. No known exploits in the wild have been reported to date. Organizations using Homarr dashboards should upgrade to version 1.52.0 or later to remediate this issue.
Potential Impact
For European organizations, this SSRF vulnerability poses a moderate risk primarily by enabling attackers to conduct reconnaissance on internal networks. Many enterprises and public sector entities use dashboards like Homarr for centralized service monitoring and management, often deployed within internal or cloud environments. Exploitation could allow attackers to map internal services, identify vulnerable hosts, and plan subsequent attacks such as lateral movement or data theft. Confidentiality is impacted as internal network details and potentially sensitive endpoints may be exposed. Although the vulnerability does not directly compromise data integrity or availability, it lowers the overall security posture and increases the attack surface. Organizations in sectors with critical infrastructure, finance, healthcare, and government are particularly at risk if Homarr is used internally. The unauthenticated nature of the vulnerability means attackers can exploit it remotely without credentials, increasing exposure. However, the lack of known active exploitation and medium CVSS score suggest the threat is moderate but should not be ignored. Prompt patching and network segmentation can mitigate potential impacts.
Mitigation Recommendations
1. Upgrade Homarr installations to version 1.52.0 or later immediately to apply the official fix. 2. If upgrading is not immediately possible, restrict network access to the vulnerable tRPC endpoint (widget.app.ping) using firewall rules or reverse proxy configurations to limit exposure to trusted IPs only. 3. Implement strict input validation and sanitization on any endpoints accepting URLs to prevent SSRF. 4. Employ network segmentation and internal firewall rules to limit the Homarr server's ability to make outbound requests to sensitive internal services. 5. Monitor outbound HTTP requests from Homarr servers for unusual or unexpected destinations that may indicate exploitation attempts. 6. Conduct internal vulnerability scans and penetration tests to identify any residual SSRF risks or related misconfigurations. 7. Educate DevOps and security teams about SSRF risks and ensure secure coding practices for future dashboard or API development. 8. Review and harden access controls around internal services that could be targeted via SSRF.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-29T14:03:42.539Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6986f13ef9fa50a62f11d4d4
Added to database: 2/7/2026, 8:01:02 AM
Last enriched: 2/7/2026, 8:01:46 AM
Last updated: 2/7/2026, 10:14:08 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2080: Command Injection in UTT HiPER 810
HighCVE-2026-2079: Improper Authorization in yeqifu warehouse
MediumCVE-2026-1675: CWE-1188 Initialization of a Resource with an Insecure Default in brstefanovic Advanced Country Blocker
MediumCVE-2026-1643: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ariagle MP-Ukagaka
MediumCVE-2026-1634: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in alexdtn Subitem AL Slider
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.