CVE-2026-42181 - Vulnerability Details

Description

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.

Published: 2026-05-08

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when Lemmy retrieves Open Graph metadata for user‑supplied URLs. In the StoreLinkPreviews image mode, the Open Graph image is fetched server‑side and stored locally. Because the extracted og:image URL is not validated against internal network ranges, an attacker can cause the system to request an internal resource, expose its content, and serve it to other users. The CVSS score of 6.5 reflects moderate severity, indicating that this flaw can compromise data confidentiality and potentially degrade service availability if abused for large payloads.

Affected Systems

All Lemmy installations running a version earlier than 0.19.18 are impacted. The affected product is Lemmy, a federated link aggregator, from the vendor LemmyNet. The flaw exists in the mechanism that fetches link preview images on post creation or link share.

Risk and Exploitability

The risk level is medium. An authenticated user with low privileges can submit a malicious link; the server then performs a request to an internal endpoint, stores the resulting image, and later serves it to other users. The exploit does not require additional privileges beyond standard account rights. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, so while exploitation is possible, it is not yet verified as actively exploited in the wild.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

LemmyNet

lemmy

affected

Version	Status	Constraints
`< 0.19.18`	affected	—

No data.

Vendor Product Confidence Versions

Lemmynet

Lemmy

100%

Version	Status	Scheme	Platform
`[0,0.19.18)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy Lemmy version 0.19.18 or later to uninstall the SSRF flaw.
Reconfigure the preview settings to disable automatic image fetching for untrusted URLs or for low‑privileged users.
If upgrading immediately is not possible, clear any cached thumbnails that may expose internal content and disable or restrict the StoreLinkPreviews mode until a patch is applied.

Generated by OpenCVE AI on May 8, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-h6hf-9846-xwrq	Lemmy has SSRF and internal image disclosure in post link metadata via unvalidated og:image

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/LemmyNet/lemmy/releases/tag/0.19.18
https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq

History

Fri, 08 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lemmynet Lemmynet lemmy
Vendors & Products		Lemmynet Lemmynet lemmy

Fri, 08 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.
Title		Lemmy: SSRF and internal image disclosure in post link metadata via unvalidated og:image
Weaknesses		CWE-918
References		https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Lemmynet Lemmy

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T19:26:07.763Z

Updated: 2026-05-08T19:26:07.763Z

Reserved: 2026-04-25T01:53:21.582Z

Link: CVE-2026-42181

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T20:16:31.160

Modified: 2026-05-08T20:16:31.160

Link: CVE-2026-42181

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object