CVE-2026-29178 in Lemmy
Summary
by MITRE • 03/06/2026
Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch arbitrary URLs. This issue has been patched in version 0.19.16.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/08/2026
The vulnerability CVE-2026-29178 represents a critical server-side request forgery flaw in Lemmy, a popular link aggregator and forum platform within the fediverse ecosystem. This security weakness stems from Lemmy's reliance on the activitypub_federation framework, a Rust-based library designed for ActivityPub federation protocols. The vulnerability specifically targets the GET /api/v4/image/{filename} endpoint, which serves as a gateway for image processing operations within the platform's infrastructure. The flaw exists in versions prior to 0.19.16, making a substantial portion of Lemmy deployments susceptible to exploitation. Attackers can leverage this vulnerability through parameter injection techniques targeting the file_type query parameter, which creates a dangerous chain of trust within the application's internal request handling mechanisms.
The technical implementation of this vulnerability demonstrates a classic SSRF attack vector through parameter manipulation. When an attacker crafts a malicious request to the vulnerable endpoint, they can inject additional query parameters into the internal HTTP requests that Lemmy makes to the pict-rs service. The most critical aspect of this flaw is the ability to manipulate the proxy parameter within the pict-rs request, which enables the service to fetch arbitrary URLs from external resources. This creates a pathway where attackers can potentially access internal network resources, bypass firewalls, or conduct reconnaissance on the internal infrastructure. The vulnerability operates at the application layer and exploits the trust relationship between Lemmy's internal services, allowing external entities to influence internal network communications through seemingly legitimate API endpoints.
The operational impact of this vulnerability extends beyond simple data exfiltration, as it fundamentally compromises the security boundaries of Lemmy installations. Attackers can leverage this SSRF vulnerability to access internal systems that should remain isolated from external networks, potentially leading to further compromise of the entire fediverse instance. The unauthenticated nature of this attack means that any external party can exploit the vulnerability without requiring valid credentials, making it particularly dangerous in public-facing applications. This flaw can enable attackers to perform network scanning of internal services, access sensitive configuration files, or even pivot to other systems within the same network environment. The vulnerability affects not just individual user data but can potentially compromise the entire federation infrastructure that Lemmy operates within, given the interconnected nature of fediverse platforms.
Mitigation strategies for CVE-2026-29178 require immediate deployment of version 0.19.16 or later, which addresses the root cause through proper input validation and parameter sanitization. Organizations should implement network-level restrictions to prevent internal services from communicating with external endpoints, particularly when dealing with image processing services like pict-rs. Additional protective measures include implementing strict HTTP request filtering, validating all input parameters against whitelisted values, and establishing proper network segmentation between different service components. Security practitioners should also consider implementing monitoring solutions to detect anomalous patterns in image processing requests that might indicate exploitation attempts. This vulnerability aligns with CWE-918, which specifically addresses server-side request forgery, and maps to ATT&CK technique T1190 for exploitation of vulnerabilities in web applications. Organizations should conduct thorough security assessments of their fediverse infrastructure to identify similar vulnerabilities in other dependencies and ensure comprehensive protection against similar attack vectors.