Summary
The webhook configuration form fetches the supplied URL server-side to verify it returns a 2xx. The URL validator only checks the response status, not the resolved IP. By submitting a hostname that resolves to a private RFC1918 address (or to the cloud metadata service), an authenticated user with the Owner role can cause the validator worker to make a request to internal infrastructure and surface the response body in the resulting error toast.
Reproduction steps
1. Sign in as an Owner of any workspace.
2. Open Settings → Integrations → Webhooks → New.
3. Enter URL: http://169.254.169.254/latest/meta-data/iam/security-credentials/
4. Submit the form. The validator worker performs the GET.
5. The "validation failed" toast surfaces the body of the response,
exposing IAM role names. Repeating with the role path returns keys.Impact
Server-side request forgery against internal AWS metadata. Any Owner-tier user (free workspace included) can read short-lived IAM credentials for the webhook-validator worker role. The role currently has read access to the S3 bucket holding webhook delivery logs, which contain customer event payloads in plain text. Rotating the role and restricting egress will not fully mitigate without input validation.