Skip to main content

Openai Realtime Ui CVE-2026-5803

| EUVD-2026-20625 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-08 VulDB GHSA-q8cg-hw7c-28qg
SSRF Openai Realtime Ui
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 08, 2026 - 21:26 vuln.today
Public exploit code
EUVD ID Assigned
Apr 08, 2026 - 20:46 euvd
EUVD-2026-20625
Analysis Generated
Apr 08, 2026 - 20:46 vuln.today
Patch released
Apr 08, 2026 - 20:46 nvd
Patch available
CVE Published
Apr 08, 2026 - 20:15 nvd
MEDIUM 5.3

DescriptionCVE.org

A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is named 54f8f50f43af97c334a881af7b021e84b5b8310f. It is suggested to install a patch to address this issue.

AnalysisAI

Server-side request forgery (SSRF) in bigsk1 openai-realtime-ui allows authenticated remote attackers to manipulate API proxy endpoint query parameters in server.js, enabling the server to make arbitrary requests to internal or external resources. The vulnerability affects all versions up to commit 188ccde27fdf3d8fab8da81f3893468f53b2797c, has publicly available exploit code, and carries a CVSS 5.3 score reflecting moderate impact with authentication required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment While the CVSS score of 5.3 appears moderate, multiple signals contextualize the real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user of the openai-realtime-ui application crafts a malicious request with a manipulated query parameter pointing to an internal service (e.g., http://localhost:6379 for Redis, or an internal metadata service). Because the API proxy endpoint does not validate the target, the server forwards the request and returns the response to the attacker, allowing reconnaissance of internal infrastructure or potential data exfiltration. …
Remediation Organizations using bigsk1 openai-realtime-ui should immediately update to a commit at or after 54f8f50f43af97c334a881af7b021e84b5b8310f, which includes the upstream fix. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5803 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy