{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/text-generation-inference--3.3.7/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-63086"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["text-generation-inference \u003c= 3.3.7"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","data-exfiltration","cloud","network"],"_cs_type":"advisory","_cs_vendors":["Hugging Face"],"content_html":"\u003cp\u003eA critical Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2026-63086, has been identified in text-generation-inference software, affecting all versions through 3.3.7. This vulnerability resides within the OpenAI-compatible multimodal chat completions endpoint, allowing unauthenticated network attackers to compromise the server. By supplying a specially crafted \u003ccode\u003eimage_url\u003c/code\u003e value within chat message content, attackers can coerce the server into making arbitrary HTTP GET requests. The root cause is a lack of validation in the \u003ccode\u003efetch_image\u003c/code\u003e function within \u003ccode\u003erouter/src/validation.rs\u003c/code\u003e for private, loopback, link-local, or cloud metadata target addresses. Additionally, the \u003ccode\u003ereqwest\u003c/code\u003e HTTP client's default behavior of following redirects enables attackers to bypass scheme checks through redirect chains. This exploitation vector leads to internal port scanning and credential theft from internal services and cloud instance-metadata endpoints, posing a significant risk of unauthorized access and data exfiltration within an organization's network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a \u003ccode\u003etext-generation-inference\u003c/code\u003e instance exposed on the network, specifically its OpenAI-compatible multimodal chat completions endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/v1/chat/completions\u003c/code\u003e endpoint on the vulnerable server.\u003c/li\u003e\n\u003cli\u003eThe request's JSON body includes chat message content that contains a specially crafted \u003ccode\u003eimage_url\u003c/code\u003e value pointing to an attacker-controlled server (e.g., \u003ccode\u003ehttp://attacker.com/redirect?to=169.254.169.254\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etext-generation-inference\u003c/code\u003e server, within its \u003ccode\u003efetch_image\u003c/code\u003e function in \u003ccode\u003erouter/src/validation.rs\u003c/code\u003e, attempts to retrieve the image specified by the malicious \u003ccode\u003eimage_url\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to insufficient validation of private, loopback, link-local, or cloud metadata target addresses, and the HTTP client's default behavior of following redirects, the server is coerced.\u003c/li\u003e\n\u003cli\u003eThe server makes an arbitrary HTTP GET request to an internal resource or a cloud instance-metadata endpoint (e.g., \u003ccode\u003e169.254.169.254\u003c/code\u003e) as directed by the attacker's crafted URL and subsequent redirects.\u003c/li\u003e\n\u003cli\u003eThe internal service or metadata endpoint responds to the \u003ccode\u003etext-generation-inference\u003c/code\u003e server with information, which may include sensitive data like cloud credentials or internal network details.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves this response via the initial \u003ccode\u003e/v1/chat/completions\u003c/code\u003e request, completing credential theft or internal network reconnaissance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-63086 grants unauthenticated attackers the ability to perform internal network reconnaissance, such as port scanning, and potentially steal credentials from cloud instance metadata endpoints. This can lead to unauthorized access to internal services, sensitive data exfiltration, and further compromise of the victim's infrastructure. While no specific victim count or targeted sectors are mentioned, any organization deploying text-generation-inference through version 3.3.7 with its OpenAI-compatible multimodal chat completions endpoint exposed is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-63086 immediately by upgrading \u003ccode\u003etext-generation-inference\u003c/code\u003e to a version beyond 3.3.7.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict outbound network connections from \u003ccode\u003etext-generation-inference\u003c/code\u003e instances, especially to private IP ranges and cloud metadata endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Possible SSRF to Internal/Metadata IPs\u0026quot; in this brief to your SIEM and tune for your environment to identify suspicious outbound connections from servers running \u003ccode\u003etext-generation-inference\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon or equivalent network connection logging is enabled on servers hosting \u003ccode\u003etext-generation-inference\u003c/code\u003e to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T17:21:35Z","date_published":"2026-07-16T17:21:35Z","id":"https://feed.craftedsignal.io/briefs/2026-07-text-generation-inference-ssrf/","summary":"An unauthenticated network attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-63086, in the OpenAI-compatible multimodal chat completions endpoint of text-generation-inference through version 3.3.7 to coerce the server into issuing arbitrary HTTP GET requests, enabling internal port scanning and credential theft from internal services and cloud instance metadata endpoints.","title":"Server-Side Request Forgery in text-generation-inference Allows Internal Access","url":"https://feed.craftedsignal.io/briefs/2026-07-text-generation-inference-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Text-Generation-Inference \u003c= 3.3.7","version":"https://jsonfeed.org/version/1.1"}