CVE-2026-42181
Server-Side Request Forgery in Lemmy
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lemmy | lemmy | to 0.19.18 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Lemmy versions prior to 0.19.18. Lemmy fetches metadata for user-supplied post URLs and downloads preview images using a component called pict-rs. While Lemmy checks the top-level page URL against internal IP ranges to prevent access, it does not apply the same check to the Open Graph image URL (og:image). As a result, an authenticated low-privileged user can submit a public page whose Open Graph image points to an internal image endpoint. Lemmy will then fetch this internal image server-side and store a local thumbnail, which can be served back to users.
How can this vulnerability impact me? :
The vulnerability allows an authenticated low-privileged user to cause the server to fetch internal images that are normally inaccessible from outside the internal network. This can lead to unauthorized disclosure of internal resources or information by making the server act as a proxy to internal endpoints. The CVSS score indicates a moderate severity with a high impact on confidentiality.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Lemmy version 0.19.18. The immediate step to mitigate this vulnerability is to upgrade Lemmy to version 0.19.18 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated low-privileged user to cause Lemmy to fetch and store internal images by exploiting improper validation of Open Graph image URLs. This leads to potential unauthorized disclosure of internal resources, which impacts confidentiality.
Such unauthorized internal data access and disclosure could conflict with compliance requirements in standards and regulations like GDPR and HIPAA, which mandate protection of sensitive and confidential information.
However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unexpected server-side requests to internal IP addresses or internal image endpoints triggered by Lemmy's link preview fetching mechanism.
Since the vulnerability involves Lemmy fetching internal images from URLs specified in the og:image metadata of user-submitted posts, detection involves identifying such SSRF attempts or unusual internal network access patterns.
- Check Lemmy server logs for outgoing HTTP requests to internal IP ranges (e.g., 127.0.0.1, 10.x.x.x, 192.168.x.x) that originate from the pict-rs service or link preview fetcher.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze HTTP requests from the Lemmy server to internal IP addresses.
- Example tcpdump command to monitor HTTP requests to internal IPs: sudo tcpdump -i <interface> tcp and dst net 127.0.0.0/8 or dst net 10.0.0.0/8 or dst net 192.168.0.0/16
- Search Lemmy application logs or database entries for posts containing URLs with og:image metadata pointing to internal IP addresses.
- If possible, enable verbose logging for the pict-rs service or link preview fetcher to capture the URLs being fetched.