CVE-2026-30834: PinchTab has SSRF with Full Response Exfiltration via Download Handler

March 6, 2026 (updated March 9, 2026)

A Server-Side Request Forgery (SSRF) vulnerability in the /download endpoint allows any user with API access to induce the PinchTab server to make requests to arbitrary URLs, including internal network services and local system files, and exfiltrate the full response content.

References

github.com/advisories/GHSA-rw8p-c6hf-q3pg
github.com/pinchtab/pinchtab
github.com/pinchtab/pinchtab/security/advisories/GHSA-rw8p-c6hf-q3pg
nvd.nist.gov/vuln/detail/CVE-2026-30834

Code Behaviors & Features

Detect and mitigate CVE-2026-30834 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →