External risk intelligence

ntfy allows attackers to control your servers and access sensitive files

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-39087

ntfy versions before 2.22.0 have a critical flaw allowing unauthorized access to your servers and sensitive files. Update now to prevent this.

4Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-39087

ntfy is a messaging and notification service frequently deployed as an internet-facing API or web application to facilitate communication across network boundaries. Given its role in bridging notification traffic between external sources and internal systems, these instances are commonly exposed to the public internet in typical deployment patterns.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This issue in ntfy could allow an attacker to trick the system into making requests to unintended locations, potentially accessing or manipulating internal resources. It's important to address because it can lead to sensitive data exposure or unauthorized actions.

  • Can affect systems reachable from the internet.
  • Allows attackers to control requests made by the server.
  • Could lead to data leaks or unauthorized access.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability to perform Server-Side Request Forgery (SSRF) attacks. This allows them to trick the ntfy server into making requests to arbitrary internal or external network resources on their behalf. This could be used to access sensitive information or interact with other services within the network.

  • No authentication required.
  • Targets the notification service's request handling.
  • Exploits an unanchored regular expression.

Live Threat

Current exploitation, exposure, and threat context

This Server-Side Request Forgery vulnerability in ntfy, which allows unanchored regular expressions, could be attractive to attackers as it offers the potential for remote code execution or information disclosure. While there are no immediate indicators of widespread exploitation, the vulnerability's critical severity and the nature of SSRF vulnerabilities mean that targeted attacks are plausible.

  • No KEV listing observed.
  • Public exploit information exists.
  • Patch released recently.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching or upgrading ntfy instances to version 2.22.0 or later to address the Server-Side Request Forgery vulnerability. If immediate patching is not feasible, implement network egress filtering and strictly control outbound traffic from affected servers to mitigate the risk of exploitation.

  • Upgrade ntfy to 2.22.0.
  • Block unexpected outbound traffic.
  • Monitor for suspicious network connections.

Frequently asked questions

What is ntfy and how is it used?

ntfy is a notification service that enables users to send messages to their own devices or to others. It is commonly used for sending alerts, status updates, or other time-sensitive information from various applications or systems to a central point for easy consumption.

What is CVE-2026-39087? What weakness does it represent?

CVE-2026-39087 is a critical vulnerability in ntfy, specifically a Server-Side Request Forgery (SSRF). This vulnerability arises from an unanchored regular expression, which attackers can exploit to trick the ntfy server into making requests to unintended network locations.

How can CVE-2026-39087 be triggered?

An attacker can exploit CVE-2026-39087 by tricking the ntfy server into making requests to arbitrary internal or external network resources on their behalf. This occurs due to an unanchored regular expression in the notification service's request handling, without requiring authentication.

What is the relevance of ntfy's CVE-2026-39087 vulnerability?

ntfy is a messaging and notification service often deployed as an internet-facing API or web application to facilitate communication across network boundaries. Its role in bridging notification traffic between external sources and internal systems makes exposed instances vulnerable to this critical SSRF flaw, which has a high attack score.

What actions should be taken to address ntfy's CVE-2026-39087?

To address CVE-2026-39087, it is recommended to upgrade ntfy instances to version 2.22.0 or later. If immediate patching is not possible, implement network egress filtering and strictly control outbound traffic from affected servers to mitigate exploitation risks.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified