Skip to main content

Lemmy CVE-2026-42181

| EUVDEUVD-2026-28820 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-08 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:34 vuln.today
Analysis Generated
May 08, 2026 - 20:34 vuln.today
CVE Published
May 08, 2026 - 19:26 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.

AnalysisAI

Server-side request forgery (SSRF) in Lemmy prior to version 0.19.18 allows authenticated low-privileged users to bypass internal IP range restrictions and access internal image endpoints. An attacker can submit a crafted post whose Open Graph image tag points to an internal server; Lemmy will fetch and cache the image server-side, potentially exposing sensitive internal resources. The vulnerability exists because the initial page URL is validated against internal IP ranges, but the extracted og:image URL is not subject to the same restriction, creating a two-stage bypass.

Technical ContextAI

Lemmy's link preview feature automatically fetches Open Graph metadata from user-supplied post URLs to generate preview cards. The vulnerable code path in crates/api_common/src/request.rs validates the top-level post URL against internal IP ranges via fetch_link_metadata(), but after HTML parsing, extract_opengraph_data() extracts absolute og:image values without re-validating them. These unvalidated image URLs are then passed to generate_pictrs_thumbnail(), which invokes a local pict-rs image processing service with image/download?url=[UNVALIDATED_URL]. This creates a two-stage source-to-sink chain where the security boundary (internal address check) is enforced only at the first hop, allowing attackers to bypass it through a secondary resource URL embedded in Open Graph metadata. The root cause is inadequate URL validation (CWE-918: Server-Side Request Forgery) at the metadata extraction stage.

RemediationAI

Upgrade Lemmy to version 0.19.18 or later immediately. The vendor has released patched version 0.19.18 (available at https://github.com/LemmyNet/lemmy/releases/tag/0.19.18) which applies server-side URL validation to extracted og:image values in addition to the top-level page URL. For instances unable to patch immediately, mitigations include: disable the default StoreLinkPreviews feature by configuring an alternative image mode in the Lemmy settings if available; restrict post creation privileges to trusted users only, limiting who can submit external links that trigger metadata fetching; or implement network-level egress filtering rules on the instance to prevent the pict-rs service from accessing internal IP ranges (however, this requires careful configuration to avoid breaking legitimate functionality). Note that these mitigations do not eliminate the vulnerability, only reduce the attack surface. Patching is the only complete fix.

Share

CVE-2026-42181 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy