PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-63086 huggingface CVE debrief

The text-generation-inference library through version 3.3.7 contains a server-side request forgery (SSRF) vulnerability in its OpenAI-compatible multimodal chat completions endpoint. This vulnerability allows unauthenticated network attackers to coerce the server into issuing arbitrary HTTP GET requests by supplying a crafted image_url value in chat message content. The vulnerability arises from the fetch_image function in router/src/validation.rs, which performs no validation of private, loopback, link-local, or cloud metadata target addresses. Furthermore, the reqwest HTTP client follows redirects by default, enabling attackers to bypass scheme checks via redirect chains to reach internal services and cloud instance-metadata endpoints for internal port scanning and credential theft.

Vendor
huggingface
Product
text-generation-inference
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of the text-generation-inference library, especially those hosting services that utilize the multimodal chat completions endpoint, should be aware of this vulnerability. This includes developers and administrators of applications that integrate text-generation-inference for chat functionalities, as they may be exposed to potential SSRF attacks.

Technical summary

The SSRF vulnerability in text-generation-inference allows attackers to manipulate the server into making unintended HTTP GET requests. This is achieved by providing a specially crafted image_url in chat message content, which the server then fetches without proper validation of the target address. The lack of validation for private, loopback, link-local, or cloud metadata target addresses, combined with the default behavior of the reqwest client to follow redirects, enables attackers to use redirect chains to access internal services and cloud instance-metadata endpoints. This could lead to internal port scanning and credential theft.

Defensive priority

High

Recommended defensive actions

  • Update text-generation-inference to a version beyond 3.3.7
  • Implement proper validation for image_url values to prevent SSRF
  • Restrict the types of addresses that can be targeted by the fetch_image function
  • Configure the reqwest client to not follow redirects by default
  • Monitor for suspicious activity related to the multimodal chat completions endpoint

Evidence notes

The CVE record was published on 2026-07-16T17:16:58.553Z and has not been modified since then. The NVD entry is currently Deferred. The vulnerability was disclosed by Vulncheck, and details can be found in their advisory.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:58.553Z and has not been modified since then. The NVD entry is currently Deferred.