Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by rulebrekerz - 12.07.2026
Last edited by cbay - 13.07.2026

FS#401 - Critical SSRF via Application Script Source URI — Cross-Tenant Data Leak

Critical SSRF via Application Script Source URI — Cross-Tenant Data Leak
Severity: Critical
Target: admin.alwaysdata.com
Auth: Free-tier account (no special permissions)

Summary
The "Installation script source URI" field accepts internal URLs like `<REDACTED>`. The server fetches the URL from its own backend and stores the full response in the script field, readable by the attacker. No IP/port validation exists. This leaks other customers' data, internal server names, and full stack traces.

Steps to Reproduce
1. Log in to `https://admin.alwaysdata.com` (free account works)
2. Go to Web → Sites → Applications → Application scripts → Add 3. Fill required fields with any values. For Installation script enter:

#!/bin/bash
site:

type: custom

echo installed

4. Set Installation script source URI to: `<REDACTED>`
5. Click Submit

6. Click the refresh/update icon next to the script (or visit `/site/application/script/<ID>/update_script/`)
7. Open the script edit page — the Installation script textarea now contains <REDACTED>.

Impact
- Cross-tenant data leak — read other customers' account names, domains, and operations
- Internal infrastructure mapping — server hostnames, paths, stack traces exposed
- Firewall bypass — requests come from the server itself, reaching localhost-only services
- No rate limit — can probe unlimited internal ports/services
- 147 MB exfiltrated in a single request with no size restriction

Thank You

Closed by  cbay
13.07.2026 13:08
Reason for closing:  Fixed
Admin
cbay commented on 13.07.2026 12:34

Hello,

Can you confirm that the bug is fixed?

Kind regards,
Cyril

Dear Team,,

I have completed the retest, and I can confirm that the vulnerability has been successfully fixed.

Thank You

Admin
cbay commented on 13.07.2026 13:08

Thanks, you can open a support ticket to claim your bounty.

Hi,

We raised our support ticket→ https://admin.alwaysdata.com/support/94681/#bottom

thanks

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing