CVE-2026-57947 | Pinpoint through 3.1.0 contains a server-side request forger… | CVSS 8.5 HIGH

Description

Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.

Metadata

CVE ID: CVE-2026-57947
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-26 13:57 UTC
Published: 2026-06-29 17:18 UTC
Last updated: 2026-06-29 19:41 UTC
Primary CWE: CWE-918
Server-Side Request Forgery (SSRF)
Vendor / Product: pinpoint-apm / pinpoint
Sources: cve.org · NVD

Severity & Metrics

8.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
pinpoint-apm	pinpoint	—	0 ≤ 3.1.0

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	Server-Side Request Forgery (SSRF)

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N

References (2)