Security Advisory v2.4.33: Fixes SSRF, Permission Bypass, and CVE-2026-44243/44244

Vulnerability Overview Multiple security vulnerabilities were identified in version , affecting Webhook configuration, API permission controls, and regular expression processing. Scope of Impact Webhook Configuration: Vulnerabilities exist in the and configuration variables, potentially allowing unauthorized creation or deletion of malicious records. API Permission Control: The attribute was erroneously editable by users; the view poses a denial-of-service (DoS) risk; and permission checks contain vulnerabilities. Regular Expression Processing: Vulnerabilities in regular expression handling within the view could lead to denial-of-service conditions. Remediation Measures Webhook Configuration: - Introduced the setting variable, defaulting to restrict allowed schemes to HTTP or HTTPS. - Introduced the setting variable to specify additional blocked IP networks. - Introduced the setting variable to specify additional blocked hosts. - Implemented logic to reject loopback, local, multicast, unspecified, or reserved IP addresses. - Implemented logic to protect Webhook definitions against Server-Side Request Forgery (SSRF). API Permission Control: - Fixed the issue where was incorrectly allowed to be edited by users. - Added data validation methods to and the helper class. - Added timeout mechanisms to the view to mitigate denial-of-service risks. - Enforced user "view" permission in the REST API when assigning related objects via . Regular Expression Processing: - Updated the dependency to to mitigate CVE-2026-44243, CVE-2026-44244, and GHSA-mv93-x799-q2xw. Proof of Concept (POC) Code or Exploit Code No specific POC code or exploit code was provided in the source material. Summary Version addresses multiple security vulnerabilities primarily concerning Webhook configuration, API permission controls, and regular expression processing. The remediation measures include introducing new configuration variables, implementing protective logic, and updating dependencies.

Goal Reached Thanks to every supporter — we hit 100%!

Security Advisory v2.4.33: Fixes SSRF, Permission Bypass, and CVE-2026-44243/44244

More from this source