Vulnerability Description
Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint itself, this allows an attacker to force the server to make arbitrary outbound HTTP requests to any host, including internal network addresses and cloud instance metadata services, and retrieve the response content. This issue has been patched in version 1.6.4.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Withknown | Known | < 1.6.4 |
Related Weaknesses (CWE)
References
- https://github.com/idno/idno/releases/tag/1.6.4ProductRelease Notes
- https://github.com/idno/idno/security/advisories/GHSA-fcrh-fqxh-6fx6ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-28508?
CVE-2026-28508 is a vulnerability with a CVSS score of 8.6 (HIGH). Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any...
How severe is CVE-2026-28508?
CVE-2026-28508 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28508?
Check the references section above for vendor advisories and patch information. Affected products include: Withknown Known.