Description
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality but is never intended to let users access "special" targets such as localhost or cloud metadata endpoints. Users should upgrade to version 3.3.10 to receive a patch. Those who do not have IPs that expose sensitive data without authentication (typically because they do not host Indico on AWS) are not affected. Only event organizers can access endpoints where SSRF could be used to actually see the data returned by such a request. For those who trust their event organizers, the risk is also very limited. For additional security, both before and after patching, one may also use the common proxy-related environment variables (in particular `http_proxy` and `https_proxy`) to force outgoing requests to go through a proxy that limits requests in whatever way you deem useful/necessary. These environment variables would need to be set both on the indico-uwsgi and indico-celery services.
Published: 2026-02-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

Indico allows users to supply arbitrary URLs that are requested by the application, creating a server‑side request forgery weakness (CWE‑918) where an authenticated event organizer can construct requests to internal addresses such as localhost or cloud metadata services and read any data returned, thereby potentially exposing sensitive system information or leaking credentials. The flaw also reflects a broken trust boundary (CWE‑367) that lets organizers influence outbound traffic that the system is not intended to expose. The impact is limited to confidentiality and may affect availability if repeated requests breach rate limits.

Affected Systems

The vulnerability exists in the Indico event management system, supplied by indico:indico. Versions before 3.3.10 contain the flaw; the vendor released version 3.3.10 with a patch that prevents requests to protected endpoints. Only installations running these older releases are vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, but the EPSS estimate of less than 1% shows the probability of exploitation is low. The flaw is not listed in the CISA KEV catalog. The attack requires that the attacker is an event organizer and can forge a URL. Typical deployments that do not expose internal resources through the public interface are thus loosely affected, and risk is further limited to organizers that are trusted by the organization.

Generated by OpenCVE AI on April 18, 2026 at 11:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Indico to version 3.3.10 or later to eliminate the SSRF flaw.
  • If an upgrade is infeasible, set the http_proxy and https_proxy environment variables on both the indico-uwsgi and indico-celery services so that outbound requests are routed through a controlled proxy that can restrict destinations.
  • Enforce least privilege for event organizers to mitigate the trust boundary issue (CWE‑367) and monitor outbound requests to detect misuse related to the SSRF vulnerability (CWE‑918).

Generated by OpenCVE AI on April 18, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f47c-3c5w-v7p4 Indico has Server-Side Request Forgery (SSRF) in multiple places
History

Thu, 26 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Cern
Cern indico
CPEs cpe:2.3:a:cern:indico:*:*:*:*:*:*:*:*
Vendors & Products Cern
Cern indico
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Indico
Indico indico
Vendors & Products Indico
Indico indico

Thu, 19 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality but is never intended to let users access "special" targets such as localhost or cloud metadata endpoints. Users should upgrade to version 3.3.10 to receive a patch. Those who do not have IPs that expose sensitive data without authentication (typically because they do not host Indico on AWS) are not affected. Only event organizers can access endpoints where SSRF could be used to actually see the data returned by such a request. For those who trust their event organizers, the risk is also very limited. For additional security, both before and after patching, one may also use the common proxy-related environment variables (in particular `http_proxy` and `https_proxy`) to force outgoing requests to go through a proxy that limits requests in whatever way you deem useful/necessary. These environment variables would need to be set both on the indico-uwsgi and indico-celery services.
Title Indico has Server-Side Request Forgery (SSRF) in multiple places
Weaknesses CWE-367
CWE-918
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Cern Indico
Indico Indico
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T17:34:39.413Z

Reserved: 2026-02-05T16:48:00.428Z

Link: CVE-2026-25738

cve-icon Vulnrichment

Updated: 2026-02-19T17:22:47.267Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T16:27:15.093

Modified: 2026-02-26T02:57:25.467

Link: CVE-2026-25738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses