Pinpoint – Server-Side Request Forgery via Alarm Webhook Registration

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N

Description

Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.

Basic Information

ID CVE-2026-57947

Source VulnCheck

Published Jun 29, 2026 at 17:18

Affected Product

Vendor pinpoint-apm

Product pinpoint

Affected Versions pinpoint-apm pinpoint 0

CWE Classification

CWE-918

References

{
    "lastseen": "",
    "description": "Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.",
    "published": "2026-06-29T17:18:50.802Z",
    "modified": "2026-06-29T17:18:50.802Z",
    "type": "cve",
    "title": "Pinpoint - Server-Side Request Forgery via Alarm Webhook Registration",
    "source": "VulnCheck",
    "references": "https://github.com/pinpoint-apm/pinpoint/issues/13857\nhttps://www.vulncheck.com/advisories/pinpoint-server-side-request-forgery-via-alarm-webhook-registration",
    "id": "CVE-2026-57947",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "pinpoint-apm pinpoint 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pinpoint",
    "version": "0",
    "vendor": "pinpoint-apm",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Pinpoint – Server-Side Request Forgery via Alarm Webhook Registration_CVE-2026-57947