LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-42864

CVE-2026-42864 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: May 11, 2026

FireFighter - Server Side Request Forgery

Published: May 11, 2026Updated: May 11, 2026Remote Exploitable

Overview

FireFighter prior to 0.0.54 contains a server-side request forgery caused by unauthenticated access to the /api/v2/firefighter/raid/jira_bot endpoint which fetches arbitrary URLs without validation, letting unauthenticated attackers exfiltrate data including AWS credentials, exploit requires ingress access.

Severity & Score

Severity: Critical
CVSS Score: 9.9
EPSS Score: 5.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can exfiltrate sensitive data including AWS credentials, potentially leading to full cloud environment compromise.

Mitigation

Update to version 0.0.54 or later.

References

Social Media Activity(4 posts)

OffSequence
OffSequence
@offseq
May 12, 2026

šŸ”„ CVE-2026-42864: CRITICAL vuln in ManoManoTech firefighter-incident (<0.0.54). Missing auth lets attackers fetch arbitrary URLs & exfil AWS creds if IMDSv2 not enforced. Update to 0.0.54+ & check your cloud configs! https://radar.offseq.com/threat/cve-2026-42864-cwe-306-missing-authentication-for--60c5ba57 #OffSeq #CVE202642864 #CloudSecurity

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 11, 2026

šŸ”“ CVE-2026-42864 - Critical (9.9) FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authentication (permission_classes = [permissions.AllowAny]). Its attachments payload ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-42864/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
May 12, 2026

šŸ”„ CVE-2026-42864: CRITICAL vuln in ManoManoTech firefighter-incident (<0.0.54). Missing auth lets attackers fetch arbitrary URLs & exfil AWS creds if IMDSv2 not enforced. Update to 0.0.54+ & check your cloud configs! https://radar.offseq.com/threat/cve-2026-42864-cwe-306-missing-authentication-for--60c5ba57 #OffSeq #CVE202642864 #CloudSecurity

View original post
TheHackerWire
TheHackerWire
@thehackerwire
May 11, 2026

šŸ”“ CVE-2026-42864 - Critical (9.9) FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authentication (permission_classes = [permissions.AllowAny]). Its attachments payload ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-42864/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-42864
Severity
Critical
CVSS Score
9.9
Type
server_side_request_forgery
Status
new
EPSS
5.0%
Social Posts
4

CWE

  • CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

EPSS Score

5.0%Probability of exploitation in the next 30 days