CVE-2026-3052 in dinky
Summary
by MITRE • 02/24/2026
A vulnerability was found in DataLinkDC dinky up to 1.2.5. The impacted element is the function proxyUba of the file dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java of the component Flink Proxy Controller. Performing a manipulation results in server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/10/2026
This vulnerability exists within the DataLinkDC dinky platform version 1.2.5 and earlier, specifically in the Flink Proxy Controller component. The flaw resides in the proxyUba function located in the file dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java. The vulnerability manifests as a server-side request forgery (SSRF) that allows remote attackers to manipulate the application's behavior by crafting malicious requests that cause the server to make unintended requests to internal or external systems. This type of vulnerability falls under the CWE-918 category, which specifically addresses server-side request forgery flaws in web applications.
The technical implementation of this vulnerability enables attackers to bypass normal access controls and potentially access internal network resources that would otherwise be protected by firewalls or network segmentation. When an attacker exploits this flaw, they can manipulate the proxyUba function to redirect requests to arbitrary URLs, potentially allowing them to probe internal systems, access sensitive data, or even escalate their privileges within the network environment. The vulnerability's remote exploitability means that attackers do not need physical access to the network to perform the attack, making it particularly dangerous in cloud or externally accessible environments.
The operational impact of this vulnerability is significant as it provides attackers with a potential pathway for lateral movement within the network infrastructure. Attackers could use this SSRF vulnerability to scan internal services, access internal APIs, or even compromise other systems that are not directly exposed to the internet. This vulnerability could be leveraged as part of a broader attack chain, potentially leading to data breaches, system compromise, or further privilege escalation within the organization's infrastructure. The fact that a public exploit exists increases the risk level substantially, as it reduces the technical barrier for attackers to successfully execute the attack.
Organizations using affected versions of DataLinkDC dinky should immediately implement mitigations including input validation and sanitization of all user-supplied data passed to the proxyUba function. Network-level protections such as firewalls and web application firewalls should be configured to restrict access to internal systems and monitor for suspicious outbound requests. The vendor's lack of response to early disclosure attempts is concerning and suggests potential delays in patch development or security awareness within the organization. According to ATT&CK framework, this vulnerability maps to T1190 (Proxying) and T1071.1004 (Application Layer Protocol: DNS) techniques, as attackers could use it to establish proxy connections and potentially bypass network security controls. System administrators should also consider implementing network segmentation, disabling unnecessary services, and conducting thorough security audits of all proxy and routing components to prevent exploitation. The vulnerability's classification as a server-side request forgery makes it particularly dangerous in environments where internal network resources are not properly isolated from external access.