CVE-2023-46746 MEDIUM

CVE-2023-46746: Authenticated PostHog users vulnerable to SSRF

Vendor Posthog

Product posthog

Weakness CWE-918 · SSRF

Published December 1, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. Posthog did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request. This vulnerability has been addressed in `22bd5942` and will be included in subsequent releases. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

December 1, 2023 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-46746

Related vulnerabilities

04Related CVE

CVE-2026-44492 Axios: shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) CVE-2025-13588 lKinderBueno Streamity Xtream IPTV Player proxy.php server-side request forgery CVE-2023-6570 Server-Side Request Forgery (SSRF) in kubeflow/kubeflow CVE-2025-68500 WordPress Prime Slider – Addons For Elementor plugin <= 4.0.10 - Server Side Request Forgery (SSRF) vulnerability CVE-2026-39843 Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching