Skip to main content

Local Deep Research EUVDEUVD-2026-32977

| CVE-2026-46526 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-28 GitHub_M GHSA-g23j-2vwm-5c25
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 28, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 28, 2026 - 19:27 vuln.today
Analysis Generated
May 28, 2026 - 19:27 vuln.today

DescriptionGitHub Advisory

Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. The current project uses validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks. However, there are indeed differences in parsing between urlparse and the library that actually sends the request. For example, in safe_get, validate_url is first used to perform an SSRF check, and then requests.get is used to send the actual request. This vulnerability is fixed in 1.6.10.

AnalysisAI

SSRF protection in Local Deep Research prior to version 1.6.10 can be bypassed by authenticated users through a URL parser differential between Python's urlparse and the requests/urllib3 library. By supplying a crafted URL such as http://127.0.0.1:6666\@1.1.1.1, an attacker causes urlparse to extract the public host 1.1.1.1 (passing the SSRF check) while requests actually connects to the internal address 127.0.0.1. No public exploitation has been confirmed in CISA KEV at time of analysis, but a working proof-of-concept was included in the GHSA advisory. The CVSS 5.0 score reflects the authentication barrier (PR:L) and limited confidentiality impact (C:L), though the changed scope (S:C) signals the server itself is used to pivot to otherwise-unreachable internal resources.

Technical ContextAI

Local Deep Research (CPE: cpe:2.3:a:learningcircuit:local-deep-research:*:*:*:*:*:*:*:*) is a Python-based AI research assistant that fetches external URLs as part of its research pipeline. The vulnerable code path is the safe_get function, which calls validate_url for SSRF protection before passing the URL to requests.get. validate_url uses Python's urllib.parse.urlparse to extract the host and compare it against a blocklist of private IP ranges. The root cause (CWE-918, Server-Side Request Forgery) is a parser-differential: urlparse treats a backslash as an ordinary character and interprets the @ symbol as the userinfo-host separator, extracting the public host to the right of @. The requests library (backed by urllib3) treats backslash as a path delimiter, so the actual TCP connection is made to the host to the left of the backslash - an internal address that would normally be blocked. The same differential affected the NotificationURLValidator for HTTP/HTTPS notification URLs. The fix in v1.6.10 applies two layers: (1) an RFC_FORBIDDEN_URL_CHARS_RE regex in ssrf_validator.py that outright rejects URLs containing backslash, whitespace, or ASCII control bytes; and (2) replacing urlparse hostname extraction with urllib3.util.parse_url so the validator and HTTP client use the identical parser.

RemediationAI

Upgrade local-deep-research to version 1.6.10 or later via pip (pip install --upgrade local-deep-research). The fix is confirmed in the vendor release at https://github.com/LearningCircuit/local-deep-research/releases/tag/v1.6.10 and was delivered across PRs #3873, #3882, #3889, and #3932. If immediate upgrade is not possible, a compensating control is to restrict network egress from the host running Local Deep Research using firewall rules or a network policy that blocks outbound connections to RFC-1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local (169.254.0.0/16), and loopback (127.0.0.0/8) - this limits SSRF reachability but does not remediate the parser flaw itself, and misconfigured egress rules may leave cloud metadata endpoints exposed. Additionally, restrict access to the application to trusted users only until patching is complete, reducing exposure given the PR:L requirement.

Share

EUVD-2026-32977 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy