pavelzbornik whisperX-FastAPI up to 0.5.0 FileService.download_from_url server-side request forgery
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.4 | $0-$5k | 0.50 |
Summary
A vulnerability described as critical has been identified in pavelzbornik whisperX-FastAPI up to 0.5.0. The affected element is the function FileService.download_from_url. Executing a manipulation can lead to server-side request forgery.
This vulnerability is registered as CVE-2026-34981. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is recommended.
Details
A vulnerability was found in pavelzbornik whisperX-FastAPI up to 0.5.0. It has been declared as critical. This vulnerability affects the function FileService.download_from_url. The manipulation with an unknown input leads to a server-side request forgery vulnerability. The CWE definition for the vulnerability is CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. As an impact it is known to affect confidentiality. CVE summarizes:
The whisperX API is a tool for enhancing and analyzing audio content. From 0.3.1 to 0.5.0, FileService.download_from_url() in app/services/file_service.py calls requests.get(url) with zero URL validation. The file extension check occurs AFTER the HTTP request is already made, and can be bypassed by appending .mp3 to any internal URL. The /speech-to-text-url endpoint is unauthenticated. This vulnerability is fixed in 0.6.0.
The advisory is available at github.com. This vulnerability was named CVE-2026-34981 since 03/31/2026. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are known, but there is no available exploit.
Upgrading to version 0.6.0 eliminates this vulnerability.
The vulnerability is also documented in the vulnerability database at CNNVD (CNNVD-202604-990). If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Vendor
Name
Version
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.5VulDB Meta Temp Score: 5.4
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 5.8
CNA Vector (GitHub_M): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Server-side request forgeryCWE: CWE-918
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: whisperX-FastAPI 0.6.0
Timeline
03/31/2026 CVE reserved04/06/2026 Advisory disclosed
04/06/2026 VulDB entry created
04/08/2026 VulDB entry last update
Sources
Product: github.comAdvisory: github.com
Status: Confirmed
CVE: CVE-2026-34981 (🔒)
GCVE (CVE): GCVE-0-2026-34981
GCVE (VulDB): GCVE-100-355570
CNNVD: CNNVD-202604-990 - whisperX REST API 代码问题漏洞
Entry
Created: 04/06/2026 18:50Updated: 04/08/2026 13:31
Changes: 04/06/2026 18:50 (64), 04/08/2026 13:31 (6)
Complete: 🔍
Cache ID: 216:6CD:103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.