API Authentication Flaw in Idno Social Publishing Platform
CVE-2026-28508

9.2CRITICAL

Key Information:

Vendor: Idno
Status: Idno
Vendor: CVE Published:; 6 March 2026

What is CVE-2026-28508?

The Idno Social Publishing Platform contains a critical logic error in its API authentication flow. This flaw allows unauthenticated remote attackers to bypass CSRF protection on the URL unfurl service endpoint, which does not require a login. Consequently, attackers can force the server to make arbitrary outbound HTTP requests to any host, including internal addresses and cloud metadata services, potentially exposing sensitive information. This vulnerability was addressed in version 1.6.4.

Affected Version(s)

idno < 1.6.4

References

https://github.com/idno/idno/security/advisories/GHSA-fcr...

x_refsource_CONFIRM

https://github.com/idno/idno/releases/tag/1.6.4

x_refsource_MISC

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2026
Vulnerability Reserved
Feb 27, 2026

CVE-2026-28508 Data

JSON