CVE-2026-28680
📋 TL;DR
Ghostfolio versions before 2.245.0 contain a server-side request forgery (SSRF) vulnerability in the manual asset import feature. Attackers can exploit this to read sensitive cloud metadata (like AWS IMDS) or scan internal network services. All Ghostfolio instances running vulnerable versions are affected.
💻 Affected Systems
- Ghostfolio
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full cloud metadata exfiltration leading to cloud account compromise, internal network reconnaissance, and potential lateral movement to other services.
Likely Case
Exfiltration of cloud metadata (access keys, instance data) and internal service enumeration.
If Mitigated
Limited impact if network segmentation prevents access to metadata services and internal endpoints.
🎯 Exploit Status
Exploitation requires access to the manual asset import functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.245.0
Vendor Advisory: https://github.com/ghostfolio/ghostfolio/security/advisories/GHSA-hhv6-c34h-pwgh
Restart Required: Yes
Instructions:
1. Backup your Ghostfolio instance. 2. Update to version 2.245.0 or later via your deployment method (Docker, manual, etc.). 3. Restart the application.
🔧 Temporary Workarounds
Disable manual asset import
allTemporarily disable the vulnerable feature until patching.
Configure application to restrict access to asset import functionality
Network restrictions
linuxBlock outbound requests from Ghostfolio to metadata services and internal networks.
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to block Ghostfolio from accessing cloud metadata endpoints (169.254.169.254 for AWS) and internal networks.
- Use web application firewall (WAF) rules to block SSRF patterns in requests to the asset import endpoint.
🔍 How to Verify
Check if Vulnerable:
Check if Ghostfolio version is below 2.245.0 and manual asset import is accessible.Check Version:
Check Ghostfolio web interface or application logs for version information.Verify Fix Applied:
Confirm version is 2.245.0 or higher and test that SSRF attempts via asset import are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to asset import endpoint with external/internal URLs
- Outbound connections to cloud metadata IPs (169.254.169.254) from Ghostfolio
Network Indicators:
- HTTP requests from Ghostfolio to internal IP ranges or metadata services
SIEM Query:
source="ghostfolio" AND (url="*import*" AND (url="*http://169.254.169.254*" OR url="*http://10.*" OR url="*http://172.16.*" OR url="*http://192.168.*"))