Summary
Paymenter has Blind Unauthenticated SSRF on the Paypal gateway module
Advisory details
Summary
The PayPal webhook endpoint /extensions/paypal/webhook processes the PAYPAL-CERT-URL HTTP header without validation, allowing attackers to control server-side HTTP request destinations.
Technical details:
The /extensions/paypal/webhook endpoint processes incoming webhook requests and trusts the value of the PAYPAL-CERT-URL HTTP header without validation.
This value is passed directly into a server-side HTTP request via file_get_contents, allowing attackers to control the destination of the request. No allowlist, validation, or signature verification is applied to the header before usage.
As a result, the application can be coerced into performing HTTP requests to attacker-controlled or internal network destinations.
Impact
This vulnerability allows remote unauthenticated attackers to induce server-side HTTP GET requests to arbitrary external or internal endpoints.
Depending on network configuration, this may lead to:
- Blind SSRF to external attacker-controlled systems
- Potential access to internal network services
No direct response data is returned to the attacker (blind SSRF), but the issue may still enable sensitive network probing or data exfiltration via side channels.
References
Related vulnerabilities
All Supply chain →- HIGHCVE-2026-54353
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
- HIGHCVE-2026-48153
Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata
- MEDIUMCVE-2026-47267
Gogs has SSRF in webhook deliveries
- MEDIUMCVE-2026-44202
OpenAM Authenticated Server-Side Request Forgery (SSRF) via `/sessionservice`
- HIGHCVE-2026-21887
OpenCTI has Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature
- MEDIUMGHSA-h5rg-8p7f-47g2
SurrealDB: SSRF via JWKS URL — Redirect Following in JWT Key Fetch