CVE-2026-25738
Server-Side Request Forgery in Indico Event Management System
Publication date: 2026-02-19
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cern | indico | to 3.3.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25738 is a server-side request forgery (SSRF) vulnerability in Indico, an event management system that uses Flask-Multipass for authentication. Versions of Indico prior to 3.3.10 allow users to make outgoing requests to URLs they provide, which is part of the system's intended functionality. However, the vulnerability arises because users can access "special" internal targets such as localhost or cloud metadata endpoints, which should not be accessible. This can potentially expose sensitive data.
Only event organizers can access the endpoints where SSRF could be exploited to see the data returned by such requests. The risk is limited for those who trust their event organizers or do not host Indico on environments like AWS where sensitive data might be exposed without authentication.
Upgrading to Indico version 3.3.10 patches this vulnerability. Additional security can be implemented by configuring proxy-related environment variables to restrict outgoing requests.
How can this vulnerability impact me? :
This vulnerability can allow event organizers to perform server-side request forgery attacks, potentially accessing sensitive internal resources such as localhost services or cloud metadata endpoints that are not intended to be accessible.
If your Indico instance is hosted in an environment where sensitive data is exposed without authentication (for example, on AWS), this could lead to unauthorized access to that data.
For users who do not host Indico in such environments or who trust their event organizers, the impact is limited.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Indico to version 3.3.10 or later, which contains the patch for the server-side request forgery issue.
If upgrading immediately is not possible, you can use proxy-related environment variables such as http_proxy and https_proxy to force outgoing requests through a proxy that restricts or limits requests as needed.
These environment variables must be set on both the indico-uwsgi and indico-celery services to be effective.
Additionally, note that only event organizers can access endpoints where SSRF could expose data, and if your deployment does not expose sensitive data without authentication (e.g., not hosted on AWS), the risk is limited.