Skip to main content

router-for-me CLIProxyAPI CVE-2026-8081

| EUVDEUVD-2026-28403 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-07 VulDB GHSA-v2c6-3phc-2r62
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 07, 2026 - 18:45 vuln.today
Severity Changed
May 07, 2026 - 18:22 NVD
MEDIUM LOW
CVSS changed
May 07, 2026 - 18:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
CVE Published
May 07, 2026 - 18:00 nvd
LOW 2.1

DescriptionCVE.org

A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Server-side request forgery in router-for-me CLIProxyAPI 6.9.29 allows authenticated remote attackers to manipulate the url parameter in the API Interface handler to perform arbitrary network requests on behalf of the server. The vulnerability has a publicly available exploit and vendor communication attempts were unsuccessful, though the low CVSS score (2.1) and requirement for authenticated access limit real-world impact compared to unauthenticated SSRF vulnerabilities.

Technical ContextAI

The vulnerability exists in the API management interface component (internal/api/handlers/management/api_tools.go) where user-supplied URL input is processed without proper validation or sanitization. This is a classic Server-Side Request Forgery (CWE-918) attack where an authenticated user can craft a malicious url parameter that causes the CLIProxyAPI server to initiate outbound HTTP requests to arbitrary destinations. The affected product is CLIProxyAPI, a reverse proxy or API gateway tool used by router-for-me, which processes API requests and forwards them - making it particularly susceptible to SSRF when request parameters are not adequately validated before being used to construct outbound requests.

RemediationAI

No vendor-released patch identified at time of analysis. The vendor's non-response to early disclosure means users cannot rely on official updates. Recommended mitigations: (1) Restrict network access to CLIProxyAPI's management API endpoint to trusted administrative hosts only via firewall or network ACLs - this directly limits who can send malicious url parameters. (2) Implement input validation and URL whitelist controls at the application level by modifying internal/api/handlers/management/api_tools.go to reject non-whitelisted destination URLs and validate that url parameters conform to expected formats (e.g., only allow URLs to specific internal services). (3) Disable the vulnerable API endpoint or feature if not actively used in production. (4) Monitor outbound connections from CLIProxyAPI for suspicious destinations (internal IP ranges, localhost, cloud metadata services) using IDS or network logging. (5) Run CLIProxyAPI with minimal network privileges - use container security policies or host firewall rules to block outbound requests to unauthorized ranges. Evaluate migration to an actively maintained reverse proxy or API gateway product if CLIProxyAPI is unmaintained.

Share

CVE-2026-8081 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy