CVE-2026-45082
Deferred Deferred - Pending Action
SSRF Protection Bypass in Karakeep via Redirect Chains

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
Karakeep is a elf-hostable bookmark-everything app. A Server-Side Request Forgery (SSRF) protection bypass vulnerability was identified in versions prior to 0.32.0 affecting redirect-following processing components. Although the application implements protections intended to prevent requests toward internal/private network destinations, these protections could be bypassed through crafted HTTP redirect chains. By leveraging attacker-controlled redirects, an authenticated user could cause vulnerable application components to initiate requests toward internally reachable Docker network services accessible from the application environment. The issue affected multiple processing paths, including crawler-related functionality and video download processing flows. Version 0.32.0 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-45082
EUVD
EUVD-2026-31826
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
karakeep karakeep to 0.32.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) protection bypass in the Karakeep application versions prior to 0.32.0. Karakeep is a self-hostable bookmark-everything app. The flaw arises because the application inconsistently validates HTTP redirect destinations, allowing attacker-controlled redirect chains to bypass SSRF protections.

An authenticated user can exploit this vulnerability to make the application send requests to internal Docker network services that are normally protected and only accessible within the application's environment. This affects multiple processing paths, including crawler-related functions and video download processing.

The vulnerability was patched in version 0.32.0.

Impact Analysis

Exploiting this vulnerability allows an authenticated attacker to bypass SSRF protections and make the application send requests to internal services that are not normally exposed externally.

  • Exposure of internal APIs and services such as Meilisearch or Chrome debugging interfaces.
  • Potential access to internal-only endpoints, which could lead to information disclosure or further attacks within the internal network.
  • Compromise of internal infrastructure components used by the application, including search infrastructure and development services.

Because the attack requires only low privileges and no user interaction, it poses a significant risk to the confidentiality and availability of internal resources.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Karakeep to version 0.32.0 or later, as this version contains the patch that fixes the SSRF protection bypass.

Additionally, restrict access to internal Docker network services from the application environment and review any processing paths that handle HTTP redirects, especially crawler and video download functionalities, to ensure they do not allow attacker-controlled redirect chains.

Compliance Impact

The vulnerability allows an authenticated user to bypass SSRF protections and send requests to internal network services, potentially exposing internal APIs, search infrastructure, and development services.

Such exposure of internal systems and data could lead to unauthorized access or data leakage, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of sensitive data and internal resources.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Detection Guidance

Detection of this SSRF protection bypass vulnerability involves monitoring for unusual HTTP redirect chains initiated by authenticated users within the Karakeep application, especially those that result in requests to internal Docker network services such as Meilisearch or Chrome debugging interfaces.

Since the vulnerability exploits crafted HTTP redirects, network detection can focus on identifying outbound requests from the Karakeep server to internal IP ranges or Docker network endpoints that are not normally accessed.

  • Use network monitoring tools (e.g., tcpdump or Wireshark) to capture and analyze HTTP traffic from the Karakeep server, filtering for requests to internal IP addresses or unusual ports.
  • On the Karakeep server, use commands like `curl -v` or `wget --max-redirect=10` to manually test redirect chains and observe if redirects lead to internal network destinations.
  • Check application logs for sequences of HTTP redirects triggered by authenticated users that result in requests to internal services.
  • Example command to monitor network traffic for internal requests: `sudo tcpdump -i any host 172.17.0.0/16` (assuming Docker default network range).
  • Example command to test redirect handling: `curl -L -v http://your-karakeep-instance/path-that-triggers-redirect` and observe if redirects point to internal IPs.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart