External risk intelligence

Scalar Proxy lets attackers steal credentials and gain control of your systems.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-30118

Scalar Proxy has a critical flaw letting attackers steal credentials and control systems by tricking it into visiting malicious links, potentially exposing sensitive data.

4Halo Surface Signal

Server-Side Request Forgery

External exposure likelihood

Halo Surface Signal score for CVE-2026-30118

The Scalar Proxy is a functional component designed to handle network traffic and API requests, typically serving as a gateway or edge service accessible to external users. The need for administrators to explicitly restrict access to internal networks as a mitigation confirms that the default deployment pattern is often internet-facing or reachable from untrusted external networks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the Scalar Proxy allows unauthenticated attackers to trick the backend server into making requests to any URL they choose. This could expose sensitive information like authentication cookies, potentially leading to unauthorized access.

  • Can expose sensitive cookies.
  • Potential for privilege escalation.
  • Reachable from the internet.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this SSRF vulnerability by crafting a malicious URL to trick the Scalar Proxy into making requests to arbitrary internal or external destinations. This allows the attacker to leak sensitive authentication cookies and headers, potentially leading to unauthorized access and privilege escalation within the targeted system.

  • No authentication required.
  • Targets Scalar Proxy endpoint.
  • Leaks authentication credentials.

Live Threat

Current exploitation, exposure, and threat context

This SSRF vulnerability in scalar/astro, allowing unauthenticated attackers to make requests to attacker-controlled URLs, presents a significant risk given its potential to expose authentication cookies and escalate privileges. The exploitation path appears straightforward, and the severity suggests it would be a tempting target for threat actors if it becomes widely adopted.

  • Public exploit details exist.
  • Exploitation is unauthenticated.
  • Vulnerability affects a proxy component.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking incoming requests to the Scalar Proxy endpoint and investigate any unusual outbound network activity. Focus on identifying which assets are running scalar/astro v0.1.13 and assess their exposure. If the proxy is externally accessible, consider temporarily disabling it.

  • Block external access to Scalar Proxy.
  • Scan for and isolate vulnerable instances.
  • Monitor for suspicious outbound requests.

Frequently asked questions

What is the vulnerability in scalar/astro version 0.1.13?

The scalar/astro version 0.1.13 contains a Server-Side Request Forgery (SSRF) vulnerability in the Scalar Proxy's scalar_url query parameter. This weakness allows unauthenticated attackers to compel the backend server to issue HTTP requests to URLs specified by the attacker. This can lead to the exposure of authentication cookies and headers, potentially enabling privilege escalation.

How does the SSRF vulnerability in Scalar Proxy work?

The Server-Side Request Forgery (SSRF) vulnerability is triggered through the scalar_url query parameter in the Scalar Proxy endpoint. An unauthenticated attacker can manipulate this parameter to force the backend server to send HTTP requests to attacker-controlled URLs. This bypasses intended request routing and can be used to probe internal networks or external services.

What are the risks associated with this Scalar Proxy vulnerability?

The primary risks include the exposure of sensitive authentication cookies and headers, which can allow attackers to impersonate legitimate users. This can further lead to unauthorized access and privilege escalation within the targeted systems.

What is the relevance of the Halo Surface Signal score for this CVE?

The Halo Surface Signal score of 4, labeled 'Likely', indicates that the Scalar Proxy is likely internet-facing or accessible from untrusted external networks. This is because it's a functional component designed for network traffic and API requests, and mitigations often involve restricting access to internal networks, confirming its typical exposure.

What steps should be taken to address the Scalar Proxy vulnerability?

Prioritize blocking incoming requests to the Scalar Proxy endpoint and investigate any unusual outbound network activity. Identify and isolate all instances running scalar/astro v0.1.13. If the proxy is externally accessible, consider temporarily disabling it until a secure configuration can be implemented. Monitoring for suspicious outbound requests is also crucial.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified