Main Vulnerability Database Vulnerabilities #VU126573

Origin validation error in titra - #VU126573

Published: April 20, 2026

Vulnerability identifier: #VU126573

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-346

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Kromit

Affected software:
titra

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass domain whitelist restrictions and trigger unauthorized webhook processing.

The vulnerability exists due to origin validation error in the webhook verification endpoint in server/APIroutes.js when handling requests with user-controlled Host or X-Forwarded-Host headers. A remote attacker can send a specially crafted request with a malicious header value to bypass domain whitelist restrictions and trigger unauthorized webhook processing.

Only deployments that use the webhook verification feature are affected in practice, and the impact may include SSRF-like behavior if internal domains are present in the whitelist.

Remediation

Install security update from vendor's website.

Sources

https://github.com/titraio/titra/security/advisories/GHSA-gjh8-7jqw-5gqh

Origin validation error in titra - #VU126573

Detailed vulnerability description

Remediation

Sources

Please verify you're human