Description
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on the webhook URL, enabling Server-Side Request Forgery (SSRF). An authenticated attacker can set their webhook URL to target internal services (Redis, databases, admin panels), cloud metadata endpoints (AWS/GCP credential theft), and/or localhost services. Version 0.10.0-260419-1910 patches the issue.
Published: 2026-04-20
Score: 5.8 Medium
EPSS: n/a
KEV: No
Impact: Server‑Side Request Forgery that permits an authenticated user to make the server reach internal services, potentially exposing secrets.
Action: Apply Patch
AI Analysis

Impact

The Vexa webhook feature accepts an arbitrary URL to post meeting‑completion data. Because no validation is performed, an attacker who is authenticated can configure that URL to point to internal services, cloud metadata endpoints, or localhost resources. By forcing the application to contact those targets, the attacker can gather internal network information, extract credentials from cloud metadata services, or interact with database or admin interfaces. This SSRF flaw allows the attacker to potentially read or manipulate data inside the environment, affecting confidentiality and integrity of the internal infrastructure. The flaw is represented by CWE‑918.

Affected Systems

Any instance of the Vexa HTTP API running versions earlier than 0.10.0‑260419‑1910 is vulnerable. The affected product is Vexa‑AI Vexa, a self‑hosted meeting bot and transcription API. Authenticated users controlling the webhook configuration are the attack surface.

Risk and Exploitability

The CVSS score of 5.8 indicates a moderate severity. The EPSS score is not available, so exploitation probability is unknown. It is not listed in the CISA KEV catalog. Because the flaw requires only an authenticated user and affecting an internal request, an attacker with sufficient access can exploit it without needing complex setups. The most straightforward attack vector is an authenticated user setting a webhook URL that points to an internal service or cloud metadata endpoint.

Generated by OpenCVE AI on April 20, 2026 at 17:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Vexa installation to version 0.10.0‑260419‑1910 or later, where the SSRF issue is fixed.
  • If an upgrade cannot be performed immediately, disable the webhook feature or restrict webhook URLs to an approved whitelist of external domains.
  • Implement network segmentation or firewall rules that prevent outbound connections from the Vexa service to internal IP ranges, and monitor for outbound HTTP traffic to internal addresses.

Generated by OpenCVE AI on April 20, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on the webhook URL, enabling Server-Side Request Forgery (SSRF). An authenticated attacker can set their webhook URL to target internal services (Redis, databases, admin panels), cloud metadata endpoints (AWS/GCP credential theft), and/or localhost services. Version 0.10.0-260419-1910 patches the issue.
Title Vexa Webhook Feature has a SSRF Vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:36:21.221Z

Reserved: 2026-02-06T21:08:39.129Z

Link: CVE-2026-25883

cve-icon Vulnrichment

Updated: 2026-04-20T16:36:12.302Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T16:16:41.907

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-25883

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses