CVE-2026-5803
Awaiting Analysis Awaiting Analysis - Queue
Server-Side Request Forgery in bigsk1 API Proxy Endpoint

Publication date: 2026-04-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is named 54f8f50f43af97c334a881af7b021e84b5b8310f. It is suggested to install a patch to address this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5803
EUVD
EUVD-2026-20625
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bigsk1 openai-realtime-ui to 188ccde27fdf3d8fab8da81f3893468f53b2797c (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a security flaw found in the bigsk1 openai-realtime-ui project, specifically in an unknown function within the server.js file of the API Proxy Endpoint component. The flaw allows an attacker to manipulate the Query argument, which leads to a server-side request forgery (SSRF). This means an attacker can make the server send unauthorized requests to other internal or external systems. The attack can be performed remotely, and the exploit code has been publicly released.

The product uses continuous delivery with rolling releases, so no specific affected or fixed version details are available. However, a patch identified by the commit 54f8f50f43af97c334a881af7b021e84b5b8310f is suggested to fix the issue.

Impact Analysis

This vulnerability can impact you by allowing an attacker to perform server-side request forgery (SSRF) attacks through the affected API Proxy Endpoint. This could enable the attacker to make unauthorized requests from the server to internal or external systems, potentially accessing sensitive information, bypassing firewalls, or interacting with internal services that are not normally exposed.

Since the attack can be initiated remotely and the exploit is publicly available, it increases the risk of exploitation if the system is not patched.

Mitigation Strategies

It is suggested to install the patch named 54f8f50f43af97c334a881af7b021e84b5b8310f to address this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5803. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart