PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8768 Vercel CVE debrief

CVE-2026-8768 is a server-side request forgery (SSRF) vulnerability in the vercel ai package’s provider-utils component, specifically the validateDownloadUrl function in packages/provider-utils/src/download-blob.ts. The issue is described as remotely exploitable and affecting versions up to 3.0.97. The vulnerability was published on 2026-05-17 and is rated medium severity (CVSS 5.5). The disclosure also states that exploit code was made public and that the vendor was contacted early but did not respond.

Vendor
Vercel
Product
Ai
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-17
Original CVE updated
2026-05-19
Advisory published
2026-05-17
Advisory updated
2026-05-19

Who should care

Teams running vercel ai version 3.0.97 or earlier, especially applications that fetch remote content or allow user-influenced download URLs through provider-utils. Security teams should also care if the package is used in internet-facing services where SSRF could reach internal or cloud metadata endpoints.

Technical summary

The CVE description attributes the flaw to insufficient validation in validateDownloadUrl, allowing an attacker to manipulate a download URL and trigger server-side requests from the application. NVD records the weakness as CWE-918 (SSRF) and lists the attack vector as network, with low complexity and no privileges or user interaction required. The provided metadata indicates public exploit availability, but no additional exploit details are included in the supplied corpus.

Defensive priority

Medium. This is remotely reachable and can be used to pivot application-side requests toward internal services, so it deserves prompt remediation even though the CVSS score is not critical. Prioritize any deployment that processes attacker-influenced URLs or runs in environments with access to sensitive internal networks.

Recommended defensive actions

  • Upgrade vercel ai to a version newer than 3.0.97 if a fixed release is available.
  • Audit any code paths that pass user-controlled or externally influenced URLs into provider-utils download handling.
  • Add or tighten allowlists for permitted hostnames, schemes, and destination networks in URL validation.
  • Block outbound access from the application to internal ranges, link-local addresses, and cloud metadata endpoints where possible.
  • Review logs and telemetry for unusual outbound requests originating from the application layer.
  • If immediate upgrade is not possible, apply compensating controls such as network egress filtering and request destination validation at the application boundary.

Evidence notes

The supplied CVE description explicitly names vercel ai up to 3.0.97, the affected function validateDownloadUrl, the file packages/provider-utils/src/download-blob.ts, remote SSRF impact, public exploit availability, and lack of vendor response. NVD metadata supplied in the corpus lists CWE-918 and a CVSS 4.0 vector consistent with network-reachable, no-authentication exploitation. No additional claims are made beyond the provided sources.

Official resources

Publicly disclosed on 2026-05-17. The description states that exploit code has been made public and that the vendor was contacted early but did not respond.