CVE-2026-63088
Deferred Deferred - Pending Action

SSRF Vulnerability in StoaChat Before 0.14.0

Vulnerability report for CVE-2026-63088, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: VulnCheck

Description

stoatchat before 0.14.0 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated network-accessible attackers to bypass the DNS-based IP blocklist by exploiting incomplete address validation in the url_is_blacklisted function, which inspects only the first resolved address while the underlying HTTP client iterates all cached addresses.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
stoatchat stoatchat to 0.14.0 (exc)
stoatchat stoatchat to 0.13.5 (exc)
stoatchat stoatchat to 0.13.7 (inc)
stoatchat stoatchat 0.14.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-63088 is a Server-Side Request Forgery (SSRF) vulnerability in stoatchat versions before 0.14.0. The issue occurs because the url_is_blacklisted function only checks the first resolved DNS address for IP blocklist compliance, while the HTTP client processes all cached addresses. Attackers can exploit this by controlling a domain that resolves to multiple IPs, where the first IP is public but unreachable (passing the blocklist) and the second is a loopback or internal IP (never validated). This allows unauthorized access to internal services.

Detection Guidance

To detect this SSRF vulnerability, check if your stoatchat instance is running a version before 0.14.0. Inspect network logs for requests to internal IP ranges or unauthorized external domains. Test endpoints like /proxy and /embed with crafted URLs to see if they bypass IP restrictions.

Impact Analysis

This vulnerability allows unauthenticated attackers to send arbitrary HTTP requests to internal services, leading to unauthorized access, data exfiltration, and network reconnaissance. Attackers could enumerate internal services, fingerprint applications, and exploit cloud metadata endpoints (like 169.254.169.254) to steal IAM credentials. The /proxy and /embed endpoints are particularly vulnerable as they remain unauthenticated.

Compliance Impact

This SSRF vulnerability could lead to unauthorized access to internal systems, potentially exposing sensitive data such as personal or health information. This may violate GDPR's data protection requirements and HIPAA's safeguards for protected health information if exploited.

Mitigation Strategies

Upgrade stoatchat to version 0.14.0 or later immediately. Disable or restrict access to the /proxy and /embed endpoints if not required. Implement strict DNS and IP validation for all outbound requests. Monitor network traffic for suspicious SSRF patterns.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63088. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart