{"uuid": "786f6aec-79d9-4b36-a0e2-57e513bac287", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50872", "type": "seen", "source": "https://gist.github.com/pyuysig/272bf96c028ed45ad010b7c75937c914", "content": "# Vulnerability Report: CVE-2026-50872 - selfoss - Loopback trust handling can grant unintended access behind same-host proxy\n\n## Vulnerability Summary\nfossar selfoss 2.20-SNAPSHOT contains an incorrect access control issue in loopback request handling. When selfoss is deployed behind a same-host reverse proxy that forwards requests from 127.0.0.1 or ::1 without preserving the original client address, external attackers can be treated as trusted loopback clients and access privileged functionality, including SSRF through source title fetching.\n\n## Affected Product\n- **Vendor**: fossar\n- **Product**: selfoss\n- **Version**: 2.20-SNAPSHOT / 2.20 unreleased branch\n- **Vulnerable Component**: src/helpers/Authentication/AuthenticationFactory.php, src/helpers/Authentication/Services/Trust.php, POST /source, src/controllers/Sources/Write.php\n\n## Vulnerability Details\n- **Vulnerability Type**: Incorrect Access Control\n- **Weakness**: CWE-284, CWE-918\n- **Attack Conditions**: External request through a same-host reverse proxy that forwards to selfoss from loopback without X-Forwarded-For or Forwarded headers, followed by POST /source with an attacker-controlled RSS URL.\n\n## Report Body\n\n### Summary\nfossar selfoss 2.20-SNAPSHOT contains an incorrect access control issue in loopback request handling. When selfoss is deployed behind a same-host reverse proxy that forwards requests from 127.0.0.1 or ::1 without preserving the original client address, external attackers can be treated as trusted loopback clients and access privileged functionality, including SSRF through source title fetching.\n\n### Details\nThe trust/authentication layer treats loopback-originated requests as full-access trusted requests. In same-host reverse proxy deployments that do not forward original client address metadata, external traffic reaches selfoss with a loopback source address and inherits that trust decision.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50872.\n3. Confirm the security result: A request routed through such a proxy can access protected selfoss functionality and trigger server-side fetches via POST /source.\n\n### Impact\nContext-dependent authentication bypass and follow-on SSRF through source creation/title fetching.\n\n## Remediation\nDo not grant full access solely based on loopback source address in reverse-proxy deployments. Require explicit trusted proxy configuration and authenticated sessions for sensitive endpoints.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:38.000000Z"}