Skip to main content

Vane CVE-2026-9372

| EUVDEUVD-2026-31586 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-24 VulDB GHSA-g5cv-p9gg-j22x
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 26, 2026 - 20:07 NVD
HIGH MEDIUM
CVSS changed
May 26, 2026 - 20:07 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Analysis Generated
May 24, 2026 - 10:45 vuln.today

DescriptionCVE.org

A flaw has been found in ItzCrazyKns Vane up to 1.12.1. This vulnerability affects unknown code of the file src/app/api/providers/route.ts of the component Model Provider API. This manipulation of the argument baseURL causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Server-side request forgery (SSRF) in ItzCrazyKns Vane through version 1.12.1 enables unauthenticated remote attackers to manipulate the baseURL parameter in the Model Provider API, potentially accessing internal resources and services. The exploit has been publicly disclosed via a GitHub issue, and the CVSS temporal score indicates proof-of-concept code exists (E:P). The vendor was notified but has not yet responded or released a patch.

Technical ContextAI

Vane is affected by CWE-918 (Server-Side Request Forgery), where the application makes HTTP requests to attacker-controlled URLs without proper validation. The vulnerability resides in src/app/api/providers/route.ts, specifically in the Model Provider API endpoint. SSRF vulnerabilities allow attackers to use the vulnerable server as a proxy to access internal networks, cloud metadata services, or other restricted resources that would normally be inaccessible from the internet.

RemediationAI

No vendor-released patch identified at time of analysis. The vendor was notified via issue report but has not responded. As immediate mitigation, restrict network access to the Model Provider API endpoint, implement strict input validation for the baseURL parameter, or disable the affected API functionality if not required. Consider implementing an allowlist of permitted URLs for the baseURL parameter and deploying a web application firewall (WAF) with SSRF detection rules. Monitor for suspicious outbound requests from the Vane application server.

Share

CVE-2026-9372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy