Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken Jun 2026

designed to retrieve the token automatically.

: Attackers can probe internal network services that are not exposed to the public internet. Recommended Safety Features

This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. Managed Identities - Azure Citadel designed to retrieve the token automatically

In Kubernetes (AKS), using Pod Identity or Workload Identity, you must ensure that only authorized pods can call this endpoint to prevent token theft between containers, as mentioned in.

: The attacker inherits whatever permissions are assigned to that virtual machine’s Managed Identity. If the VM has Reader, Contributor, or Owner access to the Azure Subscription, the attacker now shares that power. This link or copies made by others cannot be deleted

Summary. A Server-Side Request Forgery (SSRF) vulnerability in the Typebot webhook block (HTTP Request component) functionality al... Webhook security: a hands-on guide - PlanetScale

Cloud misconfigurations remain one of the primary vectors for modern enterprise data breaches. Among these vulnerabilities, Server-Side Request Forgery (SSRF) combined with exposed cloud metadata services represents a catastrophic security flaw. Try again later

"event": "user.signup", "webhook": "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net"

The string webhook-url-http-3A-2F-2F169.254.169.254-2Fmetadata-2Fidentity-2Foauth2-2Ftoken is a clear indicator of a Server-Side Request Forgery attempt targeting Azure cloud metadata. Organizations must aggressively monitor their application logs for requests targeting link-local addresses, implement robust input validation routines for all webhook systems, and lock down infrastructure identities to minimize the blast radius of potential compromises. To help protect your specific cloud environment, tell me:

The string uses percent-encoding (also called URL encoding) to represent characters that are unsafe or have special meaning in URLs:

METADATA_IP = ip_address('169.254.169.254') if ip_address(parsed_url.hostname) == METADATA_IP: raise ValueError("Blocked SSRF attempt to metadata service")