CVE-2026-53607 is a Server-Side Request Forgery vulnerability in ApostropheCMS (Node.js CMS) versions up to 4.30.0 when 'prettyUrls: true' is enabled on '@apostrophecms/file'. The public pretty-URL handler constructs an upstream URL using the raw 'Host' HTTP request header, which is attacker-controlled. The server then fetches this URL and streams the response back to the client. Although the path is constrained to a specific pattern derived from local database lookups, the attacker can cause the server to send HTTP requests to arbitrary internal hosts reachable by the server. This enables blind SSRF activities such as network topology discovery via response codes and timing differences. No official patch or remediation is currently available.

An unauthenticated remote attacker can exploit this SSRF vulnerability to make the ApostropheCMS server issue HTTP requests to internal network hosts. While the path component is restricted, preventing direct data exfiltration across instances, the attacker can still perform network reconnaissance and potentially identify internal services or infrastructure through timing and response code analysis. The CVSS score is 3.7 (low), reflecting limited confidentiality impact and no integrity or availability impact.

As of the publication date, no official patch or fix is available for this vulnerability. Users should monitor the vendor's advisory channels for updates. Until a fix is released, consider disabling the 'prettyUrls' feature on '@apostrophecms/file' if enabled, or restrict access to the application to trusted networks to reduce exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.