CVE-2026-63086 in text-generation-inference
Summary
by MITRE • 07/16/2026
text-generation-inference through 3.3.7 contains a server-side request forgery (SSRF) vulnerability in the OpenAI-compatible multimodal chat completions endpoint that allows unauthenticated network attackers to coerce the server into issuing arbitrary HTTP GET requests by supplying a crafted image_url value in chat message content. The fetch_image function in router/src/validation.rs performs no validation of private, loopback, link-local, or cloud metadata target addresses, and the reqwest HTTP client follows redirects by default, enabling attackers to bypass scheme checks via redirect chains to reach internal services and cloud instance-metadata endpoints for internal port scanning and credential theft.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2026
This vulnerability exists within the text-generation-inference framework version 3.3.7 and earlier, specifically affecting the OpenAI-compatible multimodal chat completions endpoint. The flaw stems from inadequate input validation in the fetch_image function located in router/src/validation.rs, which fails to properly sanitize or validate image_url parameters submitted by clients. The vulnerability classifies as server-side request forgery under CWE-918, representing a critical security weakness that enables remote attackers to manipulate the application's behavior.
The technical implementation of this vulnerability occurs when an attacker supplies a crafted image_url value containing a URL that points to internal network resources or cloud metadata endpoints. The fetch_image function processes these URLs without implementing proper address validation checks for private IP ranges, loopback addresses, link-local networks, or cloud metadata services such as AWS instance metadata at 169.254.169.254 or similar endpoints. This omission allows attackers to bypass security controls that would normally prevent access to internal systems.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass comprehensive internal network reconnaissance and credential harvesting capabilities. Attackers can leverage the default redirect-following behavior of the reqwest HTTP client to chain multiple requests through redirect responses, effectively circumventing scheme-based access restrictions. This enables unauthorized port scanning of internal services, enumeration of running applications, and potential extraction of sensitive metadata that could contain authentication tokens, API keys, or other privileged information.
Organizations utilizing text-generation-inference versions up to 3.3.7 should implement immediate mitigations including input validation for all URL parameters, explicit blocking of private network address ranges, and configuration of the HTTP client to disable automatic redirects. The vulnerability maps to ATT&CK technique T1566.002 for server-side request forgery and T1082 for system information discovery through internal port scanning capabilities. Security teams should also consider implementing network segmentation controls and monitoring for unusual outbound requests to cloud metadata endpoints as additional defensive measures against this class of vulnerability.
The root cause analysis reveals that the application architecture lacks proper network boundary enforcement when processing external content inputs, creating an attack surface where untrusted user data can influence internal network communications. This represents a fundamental flaw in the principle of least privilege execution and demonstrates the critical importance of input validation controls in web applications handling multimedia content or external resource references. Organizations should also conduct comprehensive security reviews of all HTTP client configurations and validate that network access controls are properly implemented at multiple layers of their application architecture to prevent similar vulnerabilities from manifesting in other components.