Skip to main content

devlikeapro WAHA CVE-2026-6979

| EUVDEUVD-2026-25655 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-25 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Generated
Apr 25, 2026 - 12:30 vuln.today
CVSS changed
Apr 25, 2026 - 12:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)
EUVD ID Assigned
Apr 25, 2026 - 12:15 euvd
EUVD-2026-25655
Analysis Generated
Apr 25, 2026 - 12:15 vuln.today
CVE Published
Apr 25, 2026 - 12:00 nvd
LOW 2.1

DescriptionCVE.org

A flaw has been found in devlikeapro WAHA up to 2026.3.4. This affects an unknown function of the file src/api/media.controller.ts of the component API Request Handler. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery (SSRF) in devlikeapro WAHA up to version 2026.3.4 allows authenticated remote attackers to forge requests from the server via the media.controller.ts API endpoint, enabling potential reconnaissance, internal resource access, and lateral movement attacks. Publicly available exploit code exists and the vendor has not responded to disclosure efforts.

Technical ContextAI

The vulnerability exists in the API Request Handler component, specifically in the src/api/media.controller.ts file, which processes media-related API requests. The flaw is rooted in CWE-918 (Server-Side Request Forgery), where the application fails to properly validate or restrict URLs constructed from user-controlled input before making server-initiated HTTP requests. This allows attackers to abuse the server's network position to access internal resources, cloud metadata endpoints, or services not directly exposed to the attacker. The WAHA platform (likely a WhatsApp/messaging automation tool based on naming conventions) uses Node.js/TypeScript and exposes this functionality through its REST API layer.

RemediationAI

No vendor-released patch identified at time of analysis, and the vendor has not responded to disclosure communications. Immediate mitigation requires upgrading to a version beyond 2026.3.4 if released, or implementing network-level controls. As interim compensating controls: (1) Restrict access to the media API endpoint (/api/media or related routes) to trusted networks only via WAF or reverse proxy rules-this reduces the attack surface to internal/authenticated users; (2) Implement strict URL validation and allowlisting on any media URL parameters processed by the media.controller.ts handler, blocking internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1) and metadata service endpoints (169.254.169.254, 127.0.0.1:8000); (3) Disable or isolate the media handling feature if not actively required; (4) Monitor outbound connections from the WAHA service for unexpected destinations. Monitor vendor communication channels for patch releases and consider forking or switching to maintained alternatives if the vendor remains unresponsive.

Share

CVE-2026-6979 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy