Skip to content
Threat Feed
medium advisory

Vercel AI Server-Side Request Forgery Vulnerability (CVE-2026-8768)

Vulnerability CVE-2026-8768 describes a server-side request forgery (SSRF) flaw in the validateDownloadUrl function of the provider-utils component in Vercel AI versions up to 3.0.97, enabling remote attackers to potentially make internal requests.

A server-side request forgery (SSRF) vulnerability, identified as CVE-2026-8768, affects Vercel AI versions up to 3.0.97. The vulnerability resides within the validateDownloadUrl function in the packages/provider-utils/src/download-blob.ts file of the provider-utils component. Successful exploitation allows a remote attacker to potentially force the application to make requests to internal or external resources, potentially leading to information disclosure or other malicious activities. Public exploits for this vulnerability are available. The vendor has been notified but has not responded.

Attack Chain

  1. The attacker identifies the validateDownloadUrl function within Vercel AI’s provider-utils component as a potential SSRF target.
  2. The attacker crafts a malicious URL containing a target for the SSRF attack, potentially an internal service or external resource.
  3. The attacker injects the malicious URL into an application input that is processed by the vulnerable validateDownloadUrl function.
  4. The validateDownloadUrl function fails to properly sanitize or validate the attacker-controlled URL.
  5. The Vercel AI application makes an HTTP request to the attacker-specified URL using server-side resources.
  6. The attacker gains access to information from internal services or external resources that the Vercel AI application can access.
  7. Depending on the internal services exposed, the attacker might escalate this SSRF to other internal attacks.

Impact

Successful exploitation of CVE-2026-8768 can allow an attacker to perform actions such as scanning internal networks, reading sensitive files from internal services, or potentially gaining unauthorized access to other systems accessible from the vulnerable Vercel AI instance. The lack of vendor response makes patching uncertain.

Recommendation

  • Inspect and filter outbound network connections from Vercel AI instances to detect requests to unexpected internal resources (log source: network_connection, Sigma rule: “Detect Suspicious Outbound Connection”).
  • Deploy the Sigma rule “Detect Potential SSRF via validateDownloadUrl” to identify potential exploitation attempts targeting the vulnerable function.
  • Monitor web server logs for unusual requests containing suspicious URLs indicative of SSRF exploitation attempts (log source: webserver).

Detection coverage 2

Detect Potential SSRF via validateDownloadUrl

medium

Detects CVE-2026-8768 exploitation - suspicious requests to the /download endpoint with potentially malicious URLs.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect Suspicious Outbound Connection

medium

Detect outbound connections to internal network ranges from web servers, indicating potential SSRF

sigma tactics: initial_access techniques: T1190 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →