CVE-2026-57947

HIGH 8.5

Pinpoint - Server-Side Request Forgery via Alarm Webhook Registration

CVSS Score

8.5

EPSS Score

0.0%

EPSS Percentile

0th

Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.

CWE	CWE-918
Vendor	pinpoint-apm
Product	pinpoint
Published	Jun 29, 2026
Last Updated	Jun 29, 2026

Stay Ahead of the Next One

Get instant alerts for pinpoint-apm pinpoint

Be the first to know when new high vulnerabilities affecting pinpoint-apm pinpoint are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

pinpoint-apm / pinpoint

0 ≤ 3.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pinpoint-apm/pinpoint/issues/13857 vulncheck.com: https://www.vulncheck.com/advisories/pinpoint-server-side-request-forgery-via-alarm-webhook-registration

Credits

George Chen