Webhook-url-http-3a-2f-2f169.254.169.254-2fmetadata-2fidentity-2foauth2-2ftoken May 2026

: Ensure your cloud "Managed Identities" have only the bare minimum permissions. If a token is stolen, the damage is limited to what that specific identity can do.

: Never allow webhooks to point to internal or link-local IP ranges. Use an allowlist for domains or block the 169.254.0.0/16 range entirely. : Ensure your cloud "Managed Identities" have only

: If the application displays the "response" of the webhook (common in debugging tools), the attacker now has a functional access token. : Ensure your cloud "Managed Identities" have only