PatchSiren cyber security CVE debrief
CVE-2026-22664 f CVE debrief
A server-side request forgery (SSRF) vulnerability in prompts.chat's Fal.ai media status polling feature allows authenticated attackers to perform arbitrary outbound HTTP requests by supplying attacker-controlled URLs in the token parameter. The application fails to validate or restrict destination URLs before making backend requests, enabling credential theft of the FAL_API_KEY from Authorization headers, internal network reconnaissance, and unauthorized consumption of Fal.ai API quota. The vulnerability affects versions prior to commit 30a8f04.
- Vendor
- f
- Product
- prompts.chat
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-03
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-04-03
- Advisory updated
- 2026-05-26
Who should care
Organizations operating prompts.chat instances, security teams managing AI/ML application infrastructure, developers implementing third-party API integrations with polling mechanisms, and Fal.ai customers concerned about API key exposure
Technical summary
The prompts.chat application implements a media status polling feature that communicates with Fal.ai services. The polling mechanism accepts a token parameter that is used to construct or directly specify the target URL for status checks. The application performs no validation of this URL before executing the HTTP request, permitting attackers to supply arbitrary URLs including internal network addresses or attacker-controlled endpoints. When the application makes these requests, it includes the FAL_API_KEY in the Authorization header, which is then transmitted to the attacker-specified destination. This enables credential exfiltration, lateral movement through internal network probing, and financial/resource abuse of the victim's Fal.ai account. The vulnerability requires authenticated access but is otherwise trivial to exploit given the lack of URL validation controls.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to prompts.chat commit 30a8f04 or later which implements proper URL validation for Fal.ai media status polling endpoints
- Implement strict allowlist validation for all outbound HTTP requests in media polling features, restricting destinations to known-good Fal.ai API endpoints
- Review application logs for anomalous outbound requests from the media status polling feature, particularly requests to unexpected internal or external destinations
- Rotate exposed FAL_API_KEY credentials if compromise is suspected
- Deploy network egress controls to restrict server-initiated connections to authorized Fal.ai infrastructure only
- Audit similar polling or webhook mechanisms in the application for equivalent SSRF vulnerabilities
Evidence notes
The vulnerability was disclosed via VulnCheck and NVD with CVSS 4.0 vector indicating network attack vector, low attack complexity, low privileges required, and high confidentiality impact. The weakness is classified as CWE-918 (Server-Side Request Forgery). A patch commit (30a8f0470e0ba45e6be9c9f55220f4a9a6b91c99) addresses the issue. The exploitability is confirmed through third-party advisory and exploit demonstration.
Official resources
-
CVE-2026-22664 CVE record
CVE.org
-
CVE-2026-22664 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
2026-04-03