CVE-2026-3052 is a server-side request forgery vulnerability found in DataLinkDC's dinky software up to version 1.2.5. The vulnerability resides in the proxyUba function within the Flink Proxy Controller component (file: dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java). SSRF vulnerabilities allow attackers to craft malicious requests that the vulnerable server then executes, potentially accessing internal resources or services that are otherwise inaccessible externally. This particular vulnerability can be triggered remotely without authentication or user interaction, making it easier for attackers to exploit. The flaw allows an attacker to manipulate the proxyUba function to send arbitrary requests from the server, which could lead to unauthorized information disclosure, internal network scanning, or interaction with internal services. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability, combined with the ease of exploitation. The vendor was notified early but has not issued a patch or response, and public exploit code is available, increasing the urgency for organizations to implement mitigations. No known exploits in the wild have been reported yet, but the public availability of exploit details raises the risk of imminent attacks.

The SSRF vulnerability in DataLinkDC dinky can have several impacts on affected organizations. Attackers can leverage this flaw to perform unauthorized internal network reconnaissance, potentially discovering sensitive internal services and infrastructure. This can lead to further exploitation, such as accessing internal APIs, databases, or cloud metadata services, which may contain sensitive credentials or configuration data. Confidentiality is at risk due to possible data leakage from internal systems. Integrity and availability impacts are lower but possible if attackers use the SSRF to trigger harmful requests or denial-of-service conditions on internal services. The lack of authentication and user interaction requirements increases the attack surface, making it easier for remote attackers to exploit. Organizations relying on dinky for data processing or proxying within critical environments may face increased risk of lateral movement or data exfiltration. The absence of vendor patches and public exploit code availability further elevate the threat level, especially for environments exposed to untrusted networks.

Given the absence of official patches, organizations should implement the following mitigations: 1) Restrict network egress from the dinky server to only trusted and necessary destinations using firewall rules or network segmentation to limit SSRF impact. 2) Implement strict input validation and sanitization on any parameters passed to the proxyUba function or related proxy features to prevent malicious request manipulation. 3) Monitor logs and network traffic for unusual or unexpected outbound requests originating from the dinky server, focusing on internal IP ranges and sensitive endpoints. 4) If possible, disable or restrict the use of the Flink Proxy Controller component until a patch is available. 5) Employ Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) with SSRF detection capabilities to detect and block suspicious requests. 6) Maintain an inventory of all dinky instances and upgrade to a patched version once released by the vendor. 7) Conduct internal penetration testing and threat hunting to identify any exploitation attempts. These steps go beyond generic advice by focusing on network-level controls, input validation, and proactive monitoring tailored to this specific SSRF vulnerability.