CVE-2026-28680 in Ghostfolio
Summary
by MITRE • 03/06/2026
Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can exploit the manual asset import feature to perform a full-read SSRF, allowing them to exfiltrate sensitive cloud metadata (IMDS) or probe internal network services. This issue has been patched in version 2.245.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/11/2026
The vulnerability identified as CVE-2026-28680 affects Ghostfolio, an open source wealth management platform that enables users to track and manage their investments. This security flaw resides within the manual asset import functionality of the application, representing a critical oversight that could potentially compromise the entire infrastructure. The vulnerability manifests as a Server-Side Request Forgery (SSRF) attack vector that allows remote unauthenticated attackers to manipulate the application's behavior and access internal resources that should remain isolated from external networks. The issue impacts all versions prior to 2.245.0, indicating that a significant portion of the user base may have been exposed to this risk without their knowledge.
The technical implementation of this vulnerability stems from insufficient input validation within the manual asset import feature. When users attempt to import asset data manually, the application processes external URLs or endpoints without proper sanitization or restriction mechanisms. This lack of proper validation creates an opportunity for attackers to craft malicious requests that bypass normal network boundaries and access internal services. The vulnerability specifically enables full-read SSRF capabilities, meaning attackers can retrieve data from internal systems rather than merely probing them. The most significant impact occurs when attackers target cloud metadata services such as the Amazon EC2 Instance Metadata Service (IMDS), which contains sensitive information including access keys, instance identifiers, and other credentials that could be used for further exploitation.
From an operational perspective, this vulnerability presents a severe risk to organizations using Ghostfolio for wealth management purposes. The ability to exfiltrate cloud metadata represents a direct threat to cloud security posture, as these credentials could enable attackers to escalate privileges and gain access to additional resources within the cloud environment. The vulnerability also allows for internal network probing, which could reveal network topology, service configurations, and potential additional attack vectors. This reconnaissance capability significantly increases the attack surface and could lead to more sophisticated attacks such as privilege escalation or lateral movement within the network infrastructure. The fact that this vulnerability affects an open source application highlights the importance of proper security testing and validation of third-party components before deployment.
The mitigation for this vulnerability involves upgrading to Ghostfolio version 2.245.0 or later, which includes proper input validation and restrictions on external requests within the asset import functionality. Organizations should also implement network segmentation and access controls to limit the potential impact of such vulnerabilities. The vulnerability aligns with CWE-918, which specifically addresses Server-Side Request Forgery vulnerabilities, and maps to ATT&CK technique T1071.004 for Application Layer Protocol: DNS, as the exploitation may involve DNS resolution of internal endpoints. Security teams should also consider implementing web application firewalls and monitoring for suspicious requests to the asset import endpoints, as well as conducting regular security assessments of open source components to identify similar vulnerabilities before they can be exploited by malicious actors.