Login Sign Up

CVE-2026-3052

6.3 MEDIUM
SSRF

📋 TL;DR

This CVE describes a server-side request forgery (SSRF) vulnerability in DataLinkDC Dinky's Flink Proxy Controller. Attackers can exploit the proxyUba function to make the server send unauthorized requests to internal systems. All deployments running Dinky up to version 1.2.5 are affected.

💻 Affected Systems

Products:
  • DataLinkDC Dinky
Versions: up to 1.2.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Flink Proxy Controller component; any deployment with this component enabled is vulnerable.

📦 What is this software?

Dinky by Dinky

View all CVEs affecting Dinky →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could pivot to internal systems, access sensitive data, or perform internal reconnaissance leading to full network compromise.

🟠

Likely Case

Unauthorized access to internal HTTP services, metadata services, or internal APIs that shouldn't be exposed externally.

🟢

If Mitigated

Limited to accessing only allowed internal endpoints with proper network segmentation and request validation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub; remote exploitation is possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Monitor vendor channels for updates. Consider upgrading to any version above 1.2.5 if available.

🔧 Temporary Workarounds

Disable Flink Proxy Controller

all

Disable or remove the vulnerable Flink Proxy Controller component if not required.

# Configuration change in application.properties or similar
flink.proxy.controller.enabled=false

Network Segmentation

linux

Restrict outbound network access from Dinky servers to only necessary internal services.

# Example firewall rule (iptables)
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Implement strict network egress filtering to limit what internal systems Dinky can access
  • Deploy a web application firewall (WAF) with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check Dinky version; if version is 1.2.5 or earlier, the system is vulnerable.

Check Version:

Check application logs, configuration files, or use: grep 'version' dinky-*.jar/META-INF/MANIFEST.MF

Verify Fix Applied:

Verify that Flink Proxy Controller is disabled or that version is above 1.2.5.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from Dinky server
  • Requests to internal IP addresses or metadata services

Network Indicators:

  • HTTP traffic from Dinky server to unexpected internal endpoints
  • Requests to 169.254.169.254 (cloud metadata) or internal services

SIEM Query:

source="dinky" AND (dest_ip=169.254.169.254 OR dest_ip IN [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16])

📊 Metadata

CVE ID: CVE-2026-3052
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-918
Published: February 24, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3052, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)