ItzCrazyKns Vane SSRF Vulnerability (CVE-2026-9372)

A server-side request forgery (SSRF) vulnerability, tracked as CVE-2026-9372, has been identified in ItzCrazyKns Vane versions up to 1.12.1. The vulnerability resides within the Model Provider API component, specifically the src/app/api/providers/route.ts file. An attacker can exploit this flaw by manipulating the baseURL argument to force the server to make requests to arbitrary internal or external resources. This can lead to information disclosure, internal reconnaissance, or potentially further exploitation of internal systems. The vulnerability is remotely exploitable, and a proof-of-concept exploit is publicly available. The vendor has been notified, but has not yet responded to the report.

Attack Chain

1. Attacker identifies a vulnerable instance of ItzCrazyKns Vane running a version <= 1.12.1.
2. Attacker crafts a malicious request targeting the /api/providers/route.ts endpoint.
3. The crafted request includes a modified baseURL argument designed to point to an internal resource or external server controlled by the attacker.
4. The Vane application processes the request and, without proper validation, uses the attacker-controlled baseURL to construct an HTTP request.
5. The application makes an HTTP request to the specified URL in the baseURL.
6. If the baseURL points to an internal resource, the application fetches and potentially exposes sensitive information.
7. If the baseURL points to an attacker-controlled server, the application may leak sensitive headers or authentication tokens.
8. The attacker analyzes the response to gain information about the internal network or access restricted resources.

Impact

Successful exploitation of CVE-2026-9372 allows an attacker to perform server-side request forgery (SSRF). This can lead to internal reconnaissance, where the attacker can map internal network resources, and potentially access sensitive data from internal services. The attacker might also be able to leverage the vulnerable server as a proxy to bypass firewall restrictions or access other internal systems that are not directly exposed to the internet. While the specific impact depends on the internal network configuration and services, the potential for information disclosure and lateral movement is significant.

Recommendation

• Inspect web server logs for requests to /api/providers/route.ts with unusual or unexpected baseURL parameters, as demonstrated in the rule Detect CVE-2026-9372 Exploitation — SSRF via baseURL Parameter.
• Apply input validation and sanitization to the baseURL argument within the src/app/api/providers/route.ts file to prevent malicious manipulation.
• Implement network segmentation and access controls to limit the impact of potential SSRF attacks.
• Deploy the Sigma rule Detect Outbound Connections from Vane to Unusual Destinations to identify potential SSRF attempts to external or internal resources.
• Monitor network traffic for outbound connections originating from the Vane server to internal IPs or unusual external destinations.