CVE-2026-47157
Received Received - Intake
Server-Supplied Path Handling in aiograpi

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for example through a local network, DNS, or proxy compromise, challenge handling requests could be sent outside the intended Instagram host with the client's existing session headers. Version 0.9.10 validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-47157
EUVD
EUVD-2026-36272
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
subzeroid aiograpi to 0.9.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in aiograpi versions before 0.9.10, an asynchronous Instagram API for Python. These versions accepted server-supplied signup challenge paths and used them to build request URLs without validating that the paths were relative Instagram API paths.

If an attacker can influence a challenge response, for example through a local network, DNS, or proxy compromise, they could cause the client to send challenge handling requests to unintended hosts outside the Instagram domain, using the client's existing session headers.

This vulnerability is classified as Server-Side Request Forgery (SSRF) and was fixed in version 0.9.10 by validating challenge paths before building URLs or submitting challenge forms.

Impact Analysis

This vulnerability can allow an attacker to send unauthorized requests from the client to arbitrary hosts by manipulating the signup challenge paths.

Because these requests use the client's existing session headers, an attacker could potentially access sensitive information or perform actions on behalf of the user without their consent.

The impact is primarily on confidentiality, as indicated by the CVSS score, which rates the confidentiality impact as high.

Detection Guidance

This vulnerability involves the acceptance of server-supplied signup challenge paths without proper validation, potentially allowing requests to unintended hosts using existing session headers.

To detect exploitation attempts on your network or system, you can monitor outgoing HTTP requests from the aiograpi client for unusual or unexpected external hosts that are not part of the Instagram API domain.

Commands to help detect suspicious activity might include:

  • Using network monitoring tools like tcpdump or Wireshark to capture and analyze outgoing requests for unexpected domains or IP addresses.
  • Example tcpdump command to capture HTTP requests: sudo tcpdump -i any -A 'tcp port 80 or tcp port 443'
  • Using command-line tools like curl or wget to manually test the challenge paths and observe if requests are redirected or sent to external hosts.
  • Reviewing application logs for any requests that include non-relative or malformed challenge paths.
Mitigation Strategies

The primary mitigation step is to upgrade aiograpi to version 0.9.10 or later, which includes hardened validation of signup challenge paths to prevent this vulnerability.

This update ensures that challenge paths are validated before building URLs or submitting challenge forms, preventing requests from being sent to unintended hosts.

Additionally, consider monitoring your network for suspicious outgoing requests and securing your local network, DNS, and proxy infrastructure to reduce the risk of attacker influence.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47157. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart