CVE-2026-3052 identifies a server-side request forgery (SSRF) vulnerability in the DataLinkDC dinky software, affecting versions 1.2.0 through 1.2.5. The vulnerability resides in the proxyUba function within the Flink Proxy Controller (dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java). SSRF occurs when an attacker can manipulate the server to send crafted HTTP requests to arbitrary internal or external resources, potentially bypassing network access controls. In this case, the proxyUba function improperly validates or sanitizes input parameters, allowing remote attackers to induce the server to perform unintended requests. The flaw requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 score of 5.3 reflects medium severity, considering the ease of exploitation but limited impact scope (low confidentiality, integrity, and availability impact). However, the exploit code has been publicly disclosed, increasing the risk of exploitation. The vendor was notified early but has not issued a patch or response, leaving affected systems exposed. The vulnerability could enable attackers to access internal services, gather sensitive information, or pivot within the network, especially in environments where dinky acts as a proxy to backend systems or cloud services. No official patch or mitigation guidance has been published, complicating defense efforts. The vulnerability is relevant to organizations using DataLinkDC dinky for Apache Flink data processing proxying, particularly in cloud or hybrid environments.

The SSRF vulnerability in DataLinkDC dinky can lead to unauthorized internal network reconnaissance, access to sensitive internal services, and potential data exfiltration. Attackers could leverage this flaw to bypass firewalls or network segmentation by making the vulnerable server send requests to internal-only endpoints. This may expose metadata services, internal APIs, or administrative interfaces not directly accessible from the internet. Although the CVSS score is medium, the presence of a public exploit increases the likelihood of active exploitation attempts. Organizations relying on dinky as a proxy for Apache Flink or other backend services may face increased risk of lateral movement or information disclosure. The lack of vendor response and patches prolongs exposure, potentially affecting data confidentiality and network integrity. Availability impact is limited but could occur if attackers use SSRF to trigger resource exhaustion or denial-of-service conditions on internal services. Overall, the vulnerability poses a moderate risk that could escalate if combined with other weaknesses or insider threats.

1. Immediately restrict network access to the Flink Proxy Controller component, limiting it to trusted IP addresses or internal networks only. 2. Implement strict input validation and sanitization at the application or proxy layer to prevent malicious request manipulation. 3. Deploy web application firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) configured to detect and block SSRF patterns targeting the proxyUba endpoint. 4. Monitor logs for unusual outbound requests originating from the dinky server, especially those targeting internal IP ranges or sensitive services. 5. If possible, isolate the dinky proxy server in a segmented network zone with minimal privileges and no direct access to critical internal resources. 6. Engage in active threat hunting for signs of exploitation attempts using the public exploit code. 7. Consider deploying temporary reverse proxies or API gateways that enforce stricter request controls until an official patch is released. 8. Maintain up-to-date backups and incident response plans in case of compromise. 9. Follow DataLinkDC and Apache Flink community channels for updates or patches addressing this vulnerability.