CVE-2026-50134: CWE-918: Server-Side Request Forgery (SSRF) in gohugoio hugo
Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
AI Analysis
Technical Summary
Hugo versions from 0.91.0 up to but not including 0.162.0 contain an SSRF vulnerability (CWE-918) in the resources.GetRemote function. While the function enforces security.http.urls on the initial URL, it fails to re-validate intermediate URLs when following HTTP 3xx redirects. This flaw allows an attacker controlling an allowed server or its DNS/response to redirect the request to a host that should be forbidden by the policy, effectively bypassing host restrictions. The vulnerability is resolved in version 0.162.0.
Potential Impact
An attacker able to control or compromise an allowed server or its DNS can exploit this vulnerability to cause Hugo to make HTTP requests to arbitrary hosts that the operator intended to block. This bypasses host-based access controls and could lead to unauthorized internal network access or data exposure depending on the context in which Hugo is used.
Mitigation Recommendations
This vulnerability is fixed in Hugo version 0.162.0. Users should upgrade to version 0.162.0 or later to remediate this issue. No official patch or temporary fix is indicated beyond upgrading. Patch status is not explicitly confirmed in the advisory, but the fix version is stated. Until upgrading, operators should be cautious about the servers allowed in security.http.urls and monitor for suspicious redirects.
CVE-2026-50134: CWE-918: Server-Side Request Forgery (SSRF) in gohugoio hugo
Description
Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
CVSS v4.0
Score 6.3medium
Affected software
pkg:golang/github.com/gohugoio/hugoRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Hugo versions from 0.91.0 up to but not including 0.162.0 contain an SSRF vulnerability (CWE-918) in the resources.GetRemote function. While the function enforces security.http.urls on the initial URL, it fails to re-validate intermediate URLs when following HTTP 3xx redirects. This flaw allows an attacker controlling an allowed server or its DNS/response to redirect the request to a host that should be forbidden by the policy, effectively bypassing host restrictions. The vulnerability is resolved in version 0.162.0.
Potential Impact
An attacker able to control or compromise an allowed server or its DNS can exploit this vulnerability to cause Hugo to make HTTP requests to arbitrary hosts that the operator intended to block. This bypasses host-based access controls and could lead to unauthorized internal network access or data exposure depending on the context in which Hugo is used.
Mitigation Recommendations
This vulnerability is fixed in Hugo version 0.162.0. Users should upgrade to version 0.162.0 or later to remediate this issue. No official patch or temporary fix is indicated beyond upgrading. Patch status is not explicitly confirmed in the advisory, but the fix version is stated. Until upgrading, operators should be cautious about the servers allowed in security.http.urls and monitor for suspicious redirects.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-03T18:49:32.275Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4c076827e9c7971920cbad
Added to database: 07/06/2026, 19:52:08 UTC
Last enriched: 07/06/2026, 20:07:06 UTC
Last updated: 07/06/2026, 21:25:04 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.