CVE-2026-4964
Server-Side Request Forgery in letta-ai File URL Handler
Publication date: 2026-03-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| letta | letta | 0.16.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4964 is a security vulnerability in the Letta AI platform (version 0.16.4 and earlier) involving Server-Side Request Forgery (SSRF) and arbitrary file read issues.
The flaw exists in the function _convert_message_create_to_message within the message_helper.py file, specifically in how it processes image URLs starting with the file:// scheme.
When a user sends a message containing an image URL with a file:// path, the server opens and reads the specified file directly without validating the URL scheme, allowing unauthorized access to any file on the server.
This vulnerability arises because a prior fix that validated URL schemes was applied to a different code path but not to this image URL processing path, leaving this attack vector open.
How can this vulnerability impact me? :
This vulnerability allows any authenticated API user to read arbitrary files on the Letta server.
- Access to sensitive files such as environment variables containing secrets like API keys and database passwords.
- Exposure of system files like /etc/passwd.
- Reading application source code and configuration files.
This constitutes a privilege escalation from normal message sending to unauthorized server filesystem access, risking exposure of all server-level secrets to any user with API access.
The vulnerability affects multi-tenant and cloud deployments, increasing the risk of widespread data exposure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for messages or API requests that include image URLs with the scheme "file://", which trigger server-side file reads.
A practical detection method is to check server logs for errors such as FileNotFoundError or HTTP 502 errors that occur when the server attempts to read local files specified by these URLs.
You can also attempt a controlled test by sending a message with an image URL set to a known local file path, for example, "file:///etc/passwd", and observe if the server reads and processes the file content.
- Use network monitoring tools to filter API requests containing "file://" URLs.
- Check application logs for errors related to file access triggered by image URLs.
- Example command to search logs for file URL usage: `grep -r "file://" /path/to/letta/logs`
- Example command to test the vulnerability via API (replace with actual API call): `curl -X POST https://your-letta-instance/api/messages -d '{"image_url":"file:///etc/passwd"}'`
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or blocking any image URLs with the "file://" scheme from being processed by the server.
Since no patched versions are available at the time of the report, you should implement input validation or filtering to reject or sanitize image URLs before they reach the vulnerable function.
Additionally, monitor and audit API usage to detect and block suspicious requests attempting to exploit this vulnerability.
Consider isolating the Letta AI service with strict filesystem permissions to limit the impact of arbitrary file reads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-4964 vulnerability allows authenticated users to read arbitrary files on the server, including sensitive environment variables, credentials, application source code, and configuration files.
This unauthorized access to sensitive data can lead to exposure of personal data or protected health information, which may violate data protection regulations such as GDPR and HIPAA.
Because the vulnerability enables privilege escalation and unauthorized data disclosure in multi-tenant and cloud deployments, it poses a significant risk to compliance with standards requiring confidentiality, integrity, and protection of sensitive information.