CVE-2026-42261
Undergoing Analysis Undergoing Analysis - In Progress
Server-Side Request Forgery in PromptHub

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn't the literal string "::1". Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true β€” a supported and documented configuration β€” this means any internet user who can register. This issue has been patched in version 0.5.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42261
EUVD
EUVD-2026-28504
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
legeling prompthub From 0.4.9 (inc) to 0.5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users to perform SSRF attacks that can lead to cross-tenant data exposure and access to internal services or cloud metadata endpoints. Such unauthorized data exposure and potential access to sensitive internal resources could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data access and processing.

Because the vulnerability enables attackers to retrieve internal data and reflect it back to them, it increases the risk of data breaches and unauthorized data disclosure, which are critical compliance concerns under these standards.

Executive Summary

CVE-2026-42261 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in PromptHub versions 0.4.9 to before 0.5.4. It occurs in the POST /api/skills/fetch-remote endpoint, which fetches a user-supplied URL server-side and returns the response body up to 5 MB to the caller.

The vulnerability arises because the SSRF protection function (isPrivateIPv6) fails to block all private or loopback IPv6 addresses due to multiple alternate-but-valid IPv6 representations bypassing the check. This allows attackers to reach internal IPv4 addresses (including loopback, RFC1918, and link-local) via IPv4-mapped IPv6 addresses in hex form or other semantic equivalents of ::1.

Any authenticated user, including those who register on deployments with ALLOW_REGISTRATION=true, can exploit this vulnerability to make the server fetch internal resources and reflect their content back.

Impact Analysis

This vulnerability can allow attackers to perform internal network reconnaissance by accessing internal services or private IP ranges that should be protected.

Attackers can retrieve sensitive data from internal endpoints, including cloud metadata services, which may lead to cross-tenant data exposure.

Since the server reflects up to 5 MB of response data back to the attacker, it can be used to exfiltrate information from internal systems.

Detection Guidance

This vulnerability can be detected by monitoring for requests to the authenticated endpoint POST /api/skills/fetch-remote that include user-supplied URLs using IPv4-mapped IPv6 addresses or alternate IPv6 representations of loopback and private IP ranges.

Detection can involve inspecting logs for unusual SSRF attempts where URLs contain IPv6 formats such as ::ffff:7f00:1 (which maps to 127.0.0.1) or other semantic equivalents of ::1.

While no specific commands are provided in the resources, network administrators can use tools like curl or wget to simulate requests to the vulnerable endpoint with crafted IPv6-mapped IPv4 addresses to test if the server reflects responses.

  • Example curl command to test SSRF endpoint: curl -X POST -H "Authorization: Bearer <token>" -d '{"url":"http://[::ffff:7f00:1]/"}' https://<prompthub-server>/api/skills/fetch-remote
Mitigation Strategies

The immediate mitigation step is to upgrade PromptHub to version 0.5.4 or later, where the vulnerability has been patched.

The patch replaces the custom isPrivateIPv6 function with a canonicalization-based check using the ip-address npm package to properly block private and loopback IP addresses in all valid IPv6 representations.

Additionally, if upgrading immediately is not possible, consider restricting access to the POST /api/skills/fetch-remote endpoint to trusted users only and disabling ALLOW_REGISTRATION to prevent arbitrary internet users from registering and exploiting the SSRF.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42261. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart