CVE-2026-5633
Server-Side Request Forgery in gpt-researcher ws Endpoint
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| assafelovic | gpt-researcher | to 3.4.3 (inc) |
| assafelovic | gpt_researcher | to 3.4.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5633 is a critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the GPT Researcher software up to version 3.4.3. It occurs in the WebSocket `/ws` endpoint, specifically through the `source_urls` parameter, which accepts arbitrary URLs without any validation.
An attacker can send a specially crafted WebSocket command containing URLs that the server will fetch without checking their validity or origin. This allows the attacker to make the server perform HTTP requests to internal or external hosts, including private IP ranges, localhost, and cloud metadata services.
The server then returns the full HTTP response content from these requests back to the attacker via the research report output, enabling the attacker to exfiltrate sensitive data from internal services or cloud environments.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict validation and filtering of the `source_urls` parameter at the WebSocket `/ws` endpoint to prevent SSRF attacks.
- Allow only URLs with `http` and `https` schemes.
- Block requests to known cloud metadata service IPs such as 169.254.169.254.
- Resolve hostnames and block private, loopback, link-local, and reserved IP address ranges (e.g., 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
- Implement DNS rebinding protections.
Since no patch is currently available, these validation measures should be applied at the entry point and scraper initialization to prevent exploitation.
Additionally, monitor and restrict outbound HTTP requests from the server to internal or sensitive IP ranges to reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-5633 enables unauthenticated attackers to perform server-side request forgery (SSRF) attacks that can lead to exposure of sensitive internal data, cloud credential theft, and internal network reconnaissance.
Such data exposure and unauthorized access to internal and cloud metadata services could result in violations of data protection regulations and standards like GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.
Specifically, the vulnerability allows attackers to exfiltrate data from internal services and cloud metadata endpoints, potentially exposing personal or sensitive data that must be protected under these regulations.
Therefore, organizations using affected versions of GPT Researcher may face compliance risks if this vulnerability is exploited, as it undermines the confidentiality and integrity requirements mandated by common standards and regulations.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive internal data and cloud credentials.
- Attackers can steal cloud provider IAM credentials by accessing cloud metadata endpoints, potentially leading to full cloud account takeover.
- Attackers can perform internal network reconnaissance by scanning private IP ranges to discover internal services.
- Attackers can exfiltrate data from local services running on the server such as Redis, Elasticsearch, or Kubernetes APIs.
- The vulnerability allows full-read SSRF, meaning attackers receive the complete HTTP response content from targeted internal or external URLs.
Exploitation cost is very low, enabling attackers to perform large-scale internal scanning and data exfiltration economically.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring WebSocket traffic to the `/ws` endpoint for suspicious payloads containing the `source_urls` parameter with arbitrary or internal URLs. An attacker sends a WebSocket start command with a JSON payload listing URLs that the server will fetch without validation.
To detect exploitation attempts, you can capture and analyze WebSocket messages for unusual requests to internal IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or cloud metadata service IPs (e.g., 169.254.169.254).
Suggested commands to detect suspicious activity include using network traffic capture tools like tcpdump or Wireshark to filter WebSocket traffic and inspect payloads.
- Capture WebSocket traffic on port 80 or 443 (adjust port as needed): tcpdump -i any -s 0 -w capture.pcap 'tcp port 80 or tcp port 443'
- Use Wireshark to open the capture and filter for WebSocket frames containing the string "source_urls".
- Alternatively, use command-line tools like tshark to filter WebSocket payloads: tshark -r capture.pcap -Y 'websocket.payload contains "source_urls"'
- Check server logs or WebSocket message logs for JSON payloads with suspicious URLs targeting internal IPs or metadata service IPs.