CVE-2026-63086
Deferred Deferred - Pending Action

Server-Side Request Forgery in Text Generation Inference

Vulnerability report for CVE-2026-63086, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: VulnCheck

Description

text-generation-inference through 3.3.7 contains a server-side request forgery (SSRF) vulnerability in the OpenAI-compatible multimodal chat completions endpoint that allows unauthenticated network attackers to coerce the server into issuing arbitrary HTTP GET requests by supplying a crafted image_url value in chat message content. The fetch_image function in router/src/validation.rs performs no validation of private, loopback, link-local, or cloud metadata target addresses, and the reqwest HTTP client follows redirects by default, enabling attackers to bypass scheme checks via redirect chains to reach internal services and cloud instance-metadata endpoints for internal port scanning and credential theft.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a server-side request forgery (SSRF) in text-generation-inference versions up to 3.3.7. It allows unauthenticated attackers to trick the server into making arbitrary HTTP GET requests by providing a malicious image_url in chat messages. The server fails to validate private, loopback, or cloud metadata addresses, and redirects are followed by default, enabling attackers to bypass security checks and access internal services or cloud metadata endpoints.

Detection Guidance

Detecting this SSRF vulnerability requires monitoring network traffic for unusual HTTP requests originating from the text-generation-inference service. Check logs for requests to private, loopback, or metadata endpoints. Use tools like tcpdump or Wireshark to capture outbound traffic from the service's process. Look for GET requests to addresses like 127.0.0.1, 169.254.169.254, or other internal/cloud metadata endpoints.

Impact Analysis

An attacker could exploit this to scan internal networks, access sensitive cloud metadata, or steal credentials. This could lead to unauthorized access to internal systems, data breaches, or further attacks on connected services. The impact depends on the server's network configuration and exposed services.

Compliance Impact

This SSRF vulnerability could lead to unauthorized data access or exfiltration, violating GDPR's data protection principles or HIPAA's security requirements for protected health information. Organizations using affected software may face compliance violations, legal penalties, and reputational damage if exploited.

Mitigation Strategies

Upgrade text-generation-inference to version 3.3.8 or later to address the SSRF flaw. Disable the OpenAI-compatible multimodal chat completions endpoint if not needed. Implement network-level restrictions to block outbound requests to private, loopback, or metadata IP ranges from the service. Configure the HTTP client to disable redirects and validate all target addresses strictly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart