CVE-2026-52769: YesWiki Unauthenticated SSRF via ActivityPub Signature keyId
An unauthenticated attacker can trick YesWiki into making arbitrary outbound HTTP requests to any host, including internal cloud metadata endpoints, by setting the keyId field in an HTTP Signature hea
The problem
The public ActivityPub inbox route (`POST /?api/forms/{formId}/actor/inbox`) accepts an HTTP `Signature` header and immediately fetches the URL in `keyId` before doing any cryptographic check or URL validation. No session, token, or prior knowledge is required.
The only precondition is that ActivityPub be enabled on at least one Bazar form (`bn_activitypub_enable = '1'`). Affected versions are 4.6.2 through 4.6.5 of `yeswiki/yeswiki`.
Proof of concept
A working proof-of-concept for CVE-2026-52769 in yeswiki/yeswiki, with the exact payload below.
POST /?api/forms/1/actor/inbox HTTP/1.1
Host: target.example
Content-Type: application/activity+json
Signature: keyId="http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-role",algorithm="rsa-sha256",headers="x",signature="y"
{}In `HttpSignatureService::verifySignature()`, the `Signature` header is parsed with `parse_ini_string()` and the `keyId` value is passed directly to `httpClient->request('GET', $sigConf['keyId'])` at line 96. There is no scheme check, no IP allowlist, and no private-range filter.
The patch (commit 87e627f) adds URL validation before the outbound fetch, blocking private IP ranges, link-local addresses (including `169.254.169.254`), and non-HTTPS schemes. The root cause is CWE-918: the attacker-controlled `keyId` string is used as a fetch target with no sanitization, making the server an open proxy for the attacker.
A 500 response containing `"Missing public key"` in the exception message confirms the fetch completed, giving the attacker a timing and error oracle for port scanning and internal service enumeration.
The fix
Upgrade to `yeswiki/yeswiki` 4.6.6, which validates the `keyId` URL and blocks requests to private or link-local addresses before any outbound HTTP call is made. If an immediate upgrade is not possible, disable ActivityPub on all Bazar forms (`bn_activitypub_enable = '0'`) to close the exposed route.
Related research
- high · 7.5CVE-2026-52770CVE-2026-52770: YesWiki Bazar API Unauthenticated Boolean-Based SQL Injection
- high · 8.3CVE-2026-52771CVE-2026-52771: YesWiki Second-Order SQL Injection in Page Delete API
- critical · 9.8CVE-2026-52778CVE-2026-52778: YesWiki CalcField Unsafe eval() Remote Code Execution and ReDoS
- highCVE-2026-56382: Craft CMS RCE via Yii2 Event Handler Injection in FieldsController