CVE-2026-42260: Open-WebSearch SSRF Exposes Internal Networks
The National Vulnerability Database has detailed CVE-2026-42260, a high-severity Server-Side Request Forgery (SSRF) vulnerability impacting Open-WebSearch versions prior to 2.1.7. This flaw, rated 8.2 CVSSv3.1, stems from improper URL parsing in isPublicHttpUrl and assertPublicHttpUrl functions within src/utils/urlSafety.ts. Specifically, the software fails to recognize bracketed IPv6 literals and does not resolve DNS, creating a critical bypass.
This oversight allows attackers to craft malicious requests that bypass intended URL safety checks. The result is a non-blind SSRF, meaning attackers can receive the response body directly, effectively turning the vulnerable Open-WebSearch instance into a proxy for internal network reconnaissance and data exfiltration. This provides a direct channel into an organization’s internal infrastructure, bypassing perimeter defenses.
The implications for defenders are significant. An attacker can leverage this to map internal networks, access sensitive internal services, or even trigger actions on internal systems that are not publicly exposed. The National Vulnerability Database confirms that the vulnerability is fixed in Open-WebSearch version 2.1.7, emphasizing the urgency of patching to mitigate this direct threat to internal network segmentation.
What This Means For You
- If your organization uses Open-WebSearch, you are directly exposed to non-blind SSRF. Immediately identify all instances running versions prior to 2.1.7 and patch them to the fixed version. This isn't just about accessing public resources; this vulnerability can let attackers pivot deep into your internal network.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42260: Open-WebSearch SSRF via Unrecognized IPv6 Literals
title: CVE-2026-42260: Open-WebSearch SSRF via Unrecognized IPv6 Literals
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-42260 by sending requests to Open-WebSearch containing IPv6 literals within brackets in the query string. The vulnerability lies in the improper handling of these literals, allowing SSRF attacks.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42260/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '[::1]'
- '[::ffff:127.0.0.1]'
- '[::ffff:0:1]'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42260 | SSRF | Open-WebSearch < 2.1.7 |
| CVE-2026-42260 | SSRF | src/utils/urlSafety.ts:isPublicHttpUrl |
| CVE-2026-42260 | SSRF | src/utils/urlSafety.ts:assertPublicHttpUrl |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 18:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Ivanti Endpoint Manager RCE via SQL Injection (CVE-2026-8111)
CVE-2026-8111 — SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.
Ivanti Endpoint Manager Privilege Escalation (CVE-2026-8110)
CVE-2026-8110 — Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.
CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti
CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.