Description
Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch arbitrary URLs. This issue has been patched in version 0.19.16.
Published: 2026-03-06
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The Lemmy link aggregator is vulnerable to a Server‑Side Request Forgery (SSRF) that allows an unauthenticated attacker to inject arbitrary query parameters into the file_type query string of the /api/v4/image/{filename} endpoint, causing the internal pict‑rs service to fetch arbitrary URLs. This flaw permits the attacker to coerce the server into making outbound HTTP requests to arbitrary destinations, potentially exposing internal resources or exfiltrating data. The weakness is a classic case of insecure proxy use, mapped to CWE‑918.

Affected Systems

The flaw exists in LemmyNet Lemmy versions older than 0.19.16, where the activitypub_federation dependency is used to route image requests via pict‑rs.

Risk and Exploitability

The vulnerability has a CVSS score of 7.7 and an EPSS score less than 1%, indicating high severity but very low probability of exploitation. It is not listed in CISA’s KEV catalog. The attack vector is likely remote, through the publicly accessible /api/v4/image endpoint, and requires no authentication. The patch is available in version 0.19.16, making upgrade the most effective mitigation.

Generated by OpenCVE AI on April 16, 2026 at 11:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lemmy to version 0.19.16 or later, which contains the fix for the SSRF flaw.
  • If an upgrade cannot be performed immediately, restrict access to the /api/v4/image endpoint to authenticated users or internal networks by configuring a firewall or application‑layer access control.
  • Disable or limit outbound traffic from the server or the pict‑rs component, or deploy a network proxy that filters outbound requests to prevent unintended SSRF.

Generated by OpenCVE AI on April 16, 2026 at 11:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jvxv-2jjp-jxc3 Lemmy has unauthenticated SSRF via file_type query parameter injection in image endpoint
History

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Lemmynet
Lemmynet lemmy
Vendors & Products Lemmynet
Lemmynet lemmy

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery via a dependency on activitypub_federation, a framework for ActivityPub federation in Rust. Prior to version 0.19.16, the GET /api/v4/image/{filename} endpoint is vulnerable to unauthenticated SSRF through parameter injection in the file_type query parameter. An attacker can inject arbitrary query parameters into the internal request to pict-rs, including the proxy parameter which causes pict-rs to fetch arbitrary URLs. This issue has been patched in version 0.19.16.
Title Lemmy: Unauthenticated SSRF via file_type query parameter injection in image endpoint
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Lemmynet Lemmy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T18:33:08.993Z

Reserved: 2026-03-04T14:44:00.713Z

Link: CVE-2026-29178

cve-icon Vulnrichment

Updated: 2026-03-06T18:32:57.675Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T18:16:20.650

Modified: 2026-03-09T13:35:34.633

Link: CVE-2026-29178

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses