Skip to main content

Hugo CVE-2026-50134

| EUVDEUVD-2026-41916 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-16 https://github.com/gohugoio/hugo GHSA-vxgm-5rmg-5w8g
6.3
CVSS 4.0 · Vendor: https://github.com/gohugoio/hugo
Share

Severity by source

Vendor (https://github.com/gohugoio/hugo) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network-exploitable via build-time HTTP; AC:H because attacker must control an allow-listed host or its DNS; scope change to internal hosts drives C:H with no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (https://github.com/gohugoio/hugo).

CVSS VectorVendor: https://github.com/gohugoio/hugo

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 06, 2026 - 20:22 NVD
6.3 (MEDIUM)
Source Code Evidence Fetched
Jun 16, 2026 - 20:01 vuln.today
Analysis Generated
Jun 16, 2026 - 20:01 vuln.today

DescriptionCVE.org

Commit: 86fbb0f7a8 - _security: Validate redirects against security.http.urls_ Affected versions: v0.91.0 (when security.http.urls was introduced) through v0.161.1. Fixed in: v0.162.0. Severity: Only relevant for sites that rely on security.http.urls as a trust boundary - e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed to resources.GetRemote.

Description. resources.GetRemote enforces security.http.urls on the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid - for example, http://localhost/ or an internal IP - and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place.

Mitigation. v0.162.0 installs a CheckRedirect on the HTTP client used by resources.GetRemote that re-runs security.http.urls on every redirect target and caps the redirect chain at 10 hops. No configuration change is required.

AnalysisAI

HTTP redirect validation bypass in Hugo v0.91.0-v0.161.1 allows the resources.GetRemote build-time HTTP client to follow 3xx redirects to hosts explicitly forbidden by the security.http.urls allow-list, enabling server-side request forgery (SSRF) against internal network targets. Build pipelines that rely on security.http.urls as a trust boundary - for example, CI systems that fetch from semi-trusted external hosts while restricting access to internal metadata services or private IP ranges - are the primary risk population. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Hugo CI build using security.http.urls allow-list
Delivery
Compromise or spoof an allow-listed external host
Exploit
Serve HTTP 3xx redirect to forbidden internal target (e.g., metadata API, Redis)
Execution
Hugo follows redirect without re-validating target URL
Persist
Internal host responds with sensitive data
Impact
Data embedded in build output or exfiltrated via build logs

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the Hugo site must have a non-empty `security.http.urls` allow-list configured in `hugo.toml` - deployments without this setting or those that fully trust all remote URLs are explicitly excluded by the advisory; (2) one or more Hugo templates must call `resources.GetRemote` with a URL pointing to a host matched by the allow-list during the build; (3) the attacker must be able to influence the HTTP response of that allowed host - by compromising the server, poisoning its DNS entry as seen from the build host, or intercepting unencrypted HTTP traffic on the build network - in order to serve a 3xx redirect to a forbidden target. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector is provided in the source data, so risk is inferred entirely from the description, CWE classification, and advisory context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised a web server already permitted by the victim's `security.http.urls` allow-list (or who can hijack its DNS record within the CI/CD build network) configures it to respond with an HTTP 302 redirect pointing to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` or an internal Redis instance. When the Hugo CI pipeline executes `resources.GetRemote` against the allowed host, the unpatched HTTP client silently follows the redirect and fetches the internal resource, potentially embedding cloud IAM credentials or internal service responses into build artifacts or logs. …
Remediation Upgrade Hugo to v0.162.0 or later, which installs a `CheckRedirect` hook on the `resources.GetRemote` HTTP client that re-validates every redirect target URL against `security.http.urls` and caps redirect chains at 10 hops. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-50134 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy