CVE-2026-63306
Deferred Deferred - Pending Action

Unauthenticated SSRF in StoaChat via Proxy and Embed Endpoints

Vulnerability report for CVE-2026-63306, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: VulnCheck

Description

stoatchat before 0.13.5 contains an unauthenticated server-side request forgery vulnerability in the /proxy and /embed endpoints that accept arbitrary URLs without DNS resolution filtering or private IP range validation. Attackers can enumerate internal services, fingerprint applications, and reach instance metadata endpoints by supplying malicious URLs or leveraging redirect chains to access internal infrastructure.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
stoatchat stoatchat to 0.13.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an unauthenticated server-side request forgery (SSRF) in the StoaChat application before version 0.13.5. It affects the /proxy and /embed endpoints, which accept arbitrary URLs without proper DNS resolution filtering or private IP range validation. Attackers can exploit this to send crafted requests to internal services, enumerate them, fingerprint applications, or access instance metadata endpoints by providing malicious URLs or using redirect chains.

Detection Guidance

Check if your system is running a vulnerable version of stoat chat by inspecting the version number. Monitor network traffic for unusual outbound requests to internal or private IP ranges from the /proxy or /embed endpoints. Look for unexpected connections to metadata endpoints or internal services.

Impact Analysis

This vulnerability allows attackers to access internal infrastructure, potentially exposing sensitive data or internal services. It could lead to unauthorized access to metadata, service enumeration, or application fingerprinting, which may facilitate further attacks like data exfiltration or lateral movement within a network.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating confidentiality requirements under GDPR and HIPAA. It may result in data breaches, non-compliance with data protection principles, and potential legal penalties due to inadequate security controls for protecting personal or health information.

Mitigation Strategies

Upgrade stoat chat to version 0.13.5 or later immediately. Implement strict allowlisting for URLs in the /proxy and /embed endpoints to block private IP ranges and internal domains. Add DNS resolution filtering to prevent SSRF attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63306. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart