CVE-2026-26005 in clipbucket-v5
Summary
by MITRE • 02/12/2026
ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - #45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SSRF can be triggered, causing GET requests to be sent to internal servers. An attacker can exploit this to scan the internal network. Even a regular (non-privileged) user can carry out the attack.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/12/2026
The vulnerability identified as CVE-2026-26005 affects ClipBucket v5, an open source video sharing platform that enables users to create and share video content. This particular flaw exists in versions prior to 5.5.3 and represents a significant security weakness that allows unauthorized network scanning through server-side request forgery attacks. The vulnerability specifically resides in the Remote Play functionality which was designed to permit video entries referencing external video URLs without requiring local file uploads to the server infrastructure. This feature was intended to provide flexibility for users to embed content from various sources, but it introduced a critical design flaw that enables malicious actors to exploit the system's network communication capabilities.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the video URL processing mechanism. When users specify video URLs for remote playback, the system fails to properly validate or restrict the domains that can be accessed, allowing arbitrary URLs to be processed. The flaw specifically manifests when an attacker provides a video URL that references an internal network host such as localhost, 127.0.0.1, or other internal IP addresses. The system then executes GET requests to these internal addresses without proper authorization checks, effectively bypassing normal network security controls. This behavior aligns with CWE-918, which describes server-side request forgery vulnerabilities where applications fail to validate or restrict the destinations of remote requests.
The operational impact of this vulnerability is substantial as it enables any authenticated user, regardless of their privilege level, to perform internal network reconnaissance and scanning activities. Attackers can leverage this capability to map internal network topology, identify running services, and potentially discover vulnerable internal systems that would otherwise be protected by network segmentation. The attack vector is particularly dangerous because it requires no special privileges beyond basic user access, making it accessible to anyone with an account on the platform. This allows for passive reconnaissance of internal infrastructure, which could reveal sensitive information about network architecture, service availability, and potential attack surfaces that could be exploited in subsequent phases of an attack.
Mitigation strategies for this vulnerability should focus on implementing comprehensive URL validation and restriction mechanisms within the ClipBucket platform. The system must enforce strict validation of video URL schemes and hostnames to prevent requests to internal network addresses. Network-level protections should be implemented through firewall rules and access controls that prevent the application server from making outbound connections to internal network ranges. Additionally, the platform should implement proper input sanitization and domain whitelisting for remote video sources, ensuring that only trusted external domains can be used for video playback. Organizations should also consider implementing network segmentation and monitoring solutions to detect and alert on unusual outbound network activity that may indicate exploitation attempts. This vulnerability demonstrates the importance of validating all user-supplied data and implementing defense-in-depth strategies to protect against server-side request forgery attacks, as outlined in the ATT&CK framework's server-side request forgery tactics.