CVE-2026-11437: SSRF in go-fastdfs-web-go Installation
| Field | Value |
|---|---|
| CVE ID | CVE-2026-11437 |
| CVSS score | 7.3 (High) |
| Attack vector | Remote |
| Auth required | Unknown; assume unauthenticated exposure |
| Patch status | No confirmed fixed version as of 2026-06-06 |
TL;DR - CVE-2026-11437 is an SSRF in
/install/checkServerin perfree go-fastdfs-web-go. - Versions up to and including 1.3.7 should be treated as affected. - NVD states an exploit is published; no confirmed fix is publicly verified yet.
What is CVE-2026-11437 and Why Does It Matter?
CVE-2026-11437 is a server-side request forgery (SSRF) vulnerability affecting perfree’s go-fastdfs-web project, specifically the perfree/go-fastdfs-web-go repository. The vulnerability is tied to the checkServer function exposed through the /install/checkServer installation endpoint. The National Vulnerability Database (NVD) classifies this issue as high severity with a CVSS score of 7.3.
For defenders, the risk extends beyond the existence of an SSRF. This vulnerability allows an attacker to manipulate the application server into acting as a proxy, potentially probing internal services, accessing admin interfaces, or reaching cloud metadata endpoints. SSRF on installation endpoints is particularly concerning due to often overlooked security measures.
The affected versions are up to and including 1.3.7, and there is no confirmed fixed version available. Therefore, defenders should not assume that a newer release addresses the vulnerability unless verified through vendor advisories or patch notes.
Affected Versions, Exposure Conditions, and Exploitation Status
The affected range includes all versions up to and including 1.3.7. The vulnerable component is the installation endpoint at /install/checkServer. Currently, there is no publicly available vendor advisory confirming a remediation release.
Given the lack of information, any deployment on 1.3.7 or earlier should be treated as vulnerable. The NVD indicates that a public exploit exists, but confirmed exploitation in the wild has not been established, and the CVE is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
If your team is questioning whether authentication is required, the available data does not provide a definitive answer. As the vulnerable functionality is an installation endpoint, it is prudent to assume that it may be exploited by unauthenticated remote actors if reachable.
Operational Impact and Realistic Attack Paths
SSRF vulnerabilities can be low noise but high impact. An attacker could use the application server to make HTTP requests into network zones that are otherwise inaccessible. This could expose internal APIs, Redis dashboards, or administrative web consoles. In cloud environments, attackers may also attempt to access metadata endpoints.
The impact of CVE-2026-11437 will depend on the deployment environment. A publicly exposed management frontend with broad access is riskier than an isolated host with strict egress controls. SSRF can facilitate internal reconnaissance and chained attacks against vulnerable software.
Installation endpoints are often temporary and may not be adequately monitored. If /install/checkServer remains exposed post-deployment, attackers could exploit this vulnerability without needing extensive application knowledge.
What Defenders Should Do Next
- Inventory where this product is running under either name: go-fastdfs-web or go-fastdfs-web-go. Confirm if any instance is on 1.3.7 or earlier and treat those systems as vulnerable.
- Monitor both endpoint access and outbound connections. If possible, block or restrict access to the installation endpoint.
- Stay alert for verified patch sources, including official releases or trusted maintainer fixes.
For more information on incident response planning, check our Incident Response Planning Checklist.
If you want to enhance your security further, consider using a VPN service like NordVPN or Surfshark to protect your online activities.
How to Detect Potential Exploitation
Begin by reviewing web access logs for requests to /install/checkServer. Correlate these events with unusual outbound connections from the application host. Look for connections to RFC1918 space, localhost targets, or cloud metadata addresses.
Technical Notes
Use the following command to search for probes in your web logs:
grep -R '/install/checkServer' /var/log/nginx/ /var/log/apache2/ 2>/dev/null
If your logs include query strings, hunt for suspicious targets:
grep -R '/install/checkServer' /var/log/nginx/ 2>/dev/null |
egrep '127\.0\.0\.1|localhost|169\.254\.169\.254|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.'
Mitigation and Patching Guidance
Currently, there is no confirmed fixed version available. Therefore, focus on reducing exposure. If the product is deployed, restrict access to /install/checkServer at the reverse proxy or firewall. If possible, remove or disable installation routes entirely in production.
Technical Notes
To block the endpoint using Nginx, add the following configuration:
location = /install/checkServer {
deny all;
return 403;
}
For containerized deployments, identify the running version and confirm the checked-out tag before making any changes.
References
| Source | URL |
|---|---|
| NVD CVE record | https://nvd.nist.gov/vuln/detail/CVE-2026-11437 |
| CISA KEV catalog | https://www.cisa.gov/known-exploited-vulnerabilities-catalog |
| Project repository | https://github.com/perfree/go-fastdfs-web-go |
| NVD reference listed in record | https://vuldb.com/cve/CVE-2026-11437 |
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.