PatchSiren cyber security CVE debrief

CVE-2026-45082 karakeep-app CVE debrief

A Server-Side Request Forgery (SSRF) protection bypass vulnerability in Karakeep, a self-hostable bookmark management application, allows authenticated attackers to circumvent network isolation controls through crafted HTTP redirect chains. The vulnerability affects versions prior to 0.32.0 and impacts redirect-following processing components used in crawler functionality and video download workflows. While the application implements protections intended to block requests to internal/private network destinations, these defenses can be bypassed by chaining attacker-controlled redirects. Successful exploitation enables authenticated users to induce the application to initiate requests toward internally reachable Docker network services accessible from the deployment environment. The CVSS 3.1 score of 7.6 (HIGH) reflects network attack vector, low attack complexity, required low privileges, and high confidentiality impact with low integrity and availability impacts. The vulnerability was disclosed on May 26, 2026, with a patch released in version 0.32.0. Organizations running self-hosted Karakeep instances should prioritize upgrading to the patched version, particularly those with sensitive internal services co-located in Docker networks accessible to the application container.

Vendor: karakeep-app
Product: karakeep
CVSS: HIGH 7.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-26
Original CVE updated: 2026-05-26
Advisory published: 2026-05-26
Advisory updated: 2026-05-26

Who should care

Organizations and individuals operating self-hosted Karakeep instances, particularly those deployed in containerized environments with access to internal services. Security teams responsible for SSRF protection in web applications and bookmarking/crawling services. DevOps engineers managing Docker network segmentation for self-hosted applications.

Technical summary

The vulnerability exists in Karakeep's redirect-following processing components, which insufficiently validate redirect destinations after the initial request. An authenticated attacker can supply a URL that returns a series of HTTP redirects, with intermediate redirects pointing to allowed destinations and final redirects targeting internal IP ranges (including Docker-internal addresses such as 172.x.x.x or 10.x.x.x). The application's SSRF protections appear to validate only the initial request target rather than enforcing consistent validation across the entire redirect chain. Affected code paths include crawler-related functionality responsible for fetching bookmark content and video download processing flows. The patch in version 0.32.0 likely implements enhanced redirect chain validation or blocks redirects to internal networks regardless of chain position.

Defensive priority

HIGH

Recommended defensive actions

Upgrade Karakeep to version 0.32.0 or later to remediate the SSRF protection bypass vulnerability
Review network segmentation between Karakeep application containers and sensitive internal services, particularly Docker-internal networks
Audit application logs for suspicious redirect chains or unexpected outbound requests to internal network ranges
Implement additional egress filtering at the container or host level to restrict Karakeep's ability to reach internal services
Consider deploying Karakeep in an isolated network segment without access to sensitive internal infrastructure
Verify that any custom redirect-following configurations or proxy settings do not inadvertently weaken SSRF protections

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Affected versions, patch availability, and technical details confirmed through GitHub Security Advisory GHSA-g647-327m-79g9. CVSS vector and scoring per NVD entry. Timeline dates per CVE published and modified timestamps.

Official resources

2026-05-26