PatchSiren cyber security CVE debrief
CVE-2026-63086 huggingface CVE debrief
The text-generation-inference library through version 3.3.7 contains a server-side request forgery (SSRF) vulnerability in its OpenAI-compatible multimodal chat completions endpoint. This vulnerability allows unauthenticated network attackers to coerce the server into issuing arbitrary HTTP GET requests by supplying a crafted image_url value in chat message content. The vulnerability arises from the fetch_image function in router/src/validation.rs, which performs no validation of private, loopback, link-local, or cloud metadata target addresses. Furthermore, the reqwest HTTP client follows redirects by default, enabling attackers to bypass scheme checks via redirect chains to reach internal services and cloud instance-metadata endpoints for internal port scanning and credential theft.
- Vendor
- huggingface
- Product
- text-generation-inference
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of the text-generation-inference library, especially those hosting services that utilize the multimodal chat completions endpoint, should be aware of this vulnerability. This includes developers and administrators of applications that integrate text-generation-inference for chat functionalities, as they may be exposed to potential SSRF attacks.
Technical summary
The SSRF vulnerability in text-generation-inference allows attackers to manipulate the server into making unintended HTTP GET requests. This is achieved by providing a specially crafted image_url in chat message content, which the server then fetches without proper validation of the target address. The lack of validation for private, loopback, link-local, or cloud metadata target addresses, combined with the default behavior of the reqwest client to follow redirects, enables attackers to use redirect chains to access internal services and cloud instance-metadata endpoints. This could lead to internal port scanning and credential theft.
Defensive priority
High
Recommended defensive actions
- Update text-generation-inference to a version beyond 3.3.7
- Implement proper validation for image_url values to prevent SSRF
- Restrict the types of addresses that can be targeted by the fetch_image function
- Configure the reqwest client to not follow redirects by default
- Monitor for suspicious activity related to the multimodal chat completions endpoint
Evidence notes
The CVE record was published on 2026-07-16T17:16:58.553Z and has not been modified since then. The NVD entry is currently Deferred. The vulnerability was disclosed by Vulncheck, and details can be found in their advisory.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:58.553Z and has not been modified since then. The NVD entry is currently Deferred.