CVE-2026-25738
Received Received - Intake
Server-Side Request Forgery in Indico Event Management System

Publication date: 2026-02-19

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality but is never intended to let users access "special" targets such as localhost or cloud metadata endpoints. Users should upgrade to version 3.3.10 to receive a patch. Those who do not have IPs that expose sensitive data without authentication (typically because they do not host Indico on AWS) are not affected. Only event organizers can access endpoints where SSRF could be used to actually see the data returned by such a request. For those who trust their event organizers, the risk is also very limited. For additional security, both before and after patching, one may also use the common proxy-related environment variables (in particular `http_proxy` and `https_proxy`) to force outgoing requests to go through a proxy that limits requests in whatever way you deem useful/necessary. These environment variables would need to be set both on the indico-uwsgi and indico-celery services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25738
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cern indico to 3.3.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25738 is a server-side request forgery (SSRF) vulnerability in Indico, an event management system that uses Flask-Multipass for authentication. Versions of Indico prior to 3.3.10 allow users to make outgoing requests to URLs they provide, which is part of the system's intended functionality. However, the vulnerability arises because users can access "special" internal targets such as localhost or cloud metadata endpoints, which should not be accessible. This can potentially expose sensitive data.

Only event organizers can access the endpoints where SSRF could be exploited to see the data returned by such requests. The risk is limited for those who trust their event organizers or do not host Indico on environments like AWS where sensitive data might be exposed without authentication.

Upgrading to Indico version 3.3.10 patches this vulnerability. Additional security can be implemented by configuring proxy-related environment variables to restrict outgoing requests.

Impact Analysis

This vulnerability can allow event organizers to perform server-side request forgery attacks, potentially accessing sensitive internal resources such as localhost services or cloud metadata endpoints that are not intended to be accessible.

If your Indico instance is hosted in an environment where sensitive data is exposed without authentication (for example, on AWS), this could lead to unauthorized access to that data.

For users who do not host Indico in such environments or who trust their event organizers, the impact is limited.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Indico to version 3.3.10 or later, which contains the patch for the server-side request forgery issue.

If upgrading immediately is not possible, you can use proxy-related environment variables such as http_proxy and https_proxy to force outgoing requests through a proxy that restricts or limits requests as needed.

These environment variables must be set on both the indico-uwsgi and indico-celery services to be effective.

Additionally, note that only event organizers can access endpoints where SSRF could expose data, and if your deployment does not expose sensitive data without authentication (e.g., not hosted on AWS), the risk is limited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25738. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart