Skip to main content

Lemmy CVE-2026-42180

| EUVDEUVD-2026-28819 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-08 GitHub_M
6.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:34 vuln.today
Analysis Generated
May 08, 2026 - 20:34 vuln.today
CVE Published
May 08, 2026 - 19:29 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18.

AnalysisAI

Server-side request forgery (SSRF) in Lemmy prior to version 0.19.18 allows authenticated low-privileged users to trigger arbitrary HTTP requests to internal services by creating link posts with URLs targeting loopback, private, or link-local addresses. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled URL without validating against internal address ranges, enabling reconnaissance or exploitation of internal services. No public exploit code has been identified at time of analysis, but the vulnerability is straightforward to demonstrate and requires only user-level account access.

Technical ContextAI

Lemmy's vulnerability exists in the post creation flow (POST /api/v3/post), which accepts a user-supplied URL field for link posts. The URL is validated using is_valid_url(), which only confirms the scheme is http or https but does not implement RFC 1918 private address rejection or loopback/link-local filtering. When a post is created in a public community, the application asynchronously triggers Webmention delivery (a W3C standard for cross-site communication) by spawning a background task that issues an outbound HTTP request to the attacker-controlled URL. This creates a direct source-to-sink pathway from user input to server-initiated network activity without intermediate filtering of internal address spaces (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, ::1/128, etc.). The root cause is classified as CWE-918 (Server-Side Request Forgery), a classic SSRF pattern where application logic makes outbound requests based on untrusted input.

RemediationAI

Upgrade Lemmy to version 0.19.18 or later immediately - this is the primary and complete remediation. The patched version implements internal address range rejection before Webmention dispatch, preventing SSRF. To upgrade, follow the official Lemmy installation guide at https://join-lemmy.org/news/2026-04-20_-_Lemmy_Release_v0.19.18 and https://github.com/LemmyNet/lemmy/releases/tag/0.19.18. If immediate upgrade is not possible (e.g., pending testing), implement these compensating controls: (1) Restrict network egress from the Lemmy application container to block requests to private address ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, ::1/128) using firewall rules or container-level policies - this is network-layer defense but impedes Webmention functionality if legitimate external services are blocked; (2) Disable public post creation temporarily by restricting community visibility or post API access via rate-limiting or access control - this prevents the vulnerable code path but disables core functionality; (3) Monitor outbound HTTP connections from Lemmy for requests to private/loopback addresses and alert on detection. None of these workarounds is satisfactory long-term; upgrade to 0.19.18 is mandatory. See the GitHub security advisory at https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948 for technical details.

Share

CVE-2026-42180 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy