Description
PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn't the literal string "::1". Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true — a supported and documented configuration — this means any internet user who can register. This issue has been patched in version 0.5.4.
Published: 2026-05-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PromptHub's POST /api/skills/fetch-remote endpoint allows an authenticated user to provide an arbitrary URL. The server fetches the resource and returns the response body, up to 5 MB, to the caller. The SSRF protection attempts to block private or loopback addresses by checking the IPv6 representation with isPrivateIPv6, but several legitimate IPv6 representations bypass this check. The bypass enables reaching any IPv4 address—including loopback, RFC1918, link-local networks—via IPv4-mapped IPv6 in hexadecimal form, as well as canonical ::1 via any non-literal representation. This flaw permits authenticated users (roles user or admin) to trigger server‑side HTTP requests against internal or privileged services, exposing internal network resources and data. The weakness maps to CWE-20 (Improper Input Validation), CWE-693 (Improper Control Flow, Privilege Dependency) and CWE-918 (Server Side Request Forgery).

Affected Systems

The vulnerability affects legeling PromptHub versions 0.4.9 through 0.5.3, inclusive, which expose the vulnerable endpoint without proper validation. The issue has been addressed in version 0.5.4. Deployments that enable ALLOW_REGISTRATION=true are particularly susceptible because any remote user who can create an account becomes an authenticated user able to trigger SSRF. Other configurations that restrict user registration or authentication are less vulnerable but still contain the code path.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium‑to‑high impact, with an authentication requirement. As the EPSS score is not available, the probability of exploitation at the time of analysis is uncertain. The vulnerability is not listed in the CISA KEV catalog. Attackers would need valid credentials or a means to create an account under ALLOW_REGISTRATION=true, after which they could supply specially crafted IPv6 URLs that bypass the filter and cause the server to retrieve data from internal or delegated endpoints. Successful exploitation could lead to disclosure of internal network structure, service information, or sensitive data returned in the HTTP response body.

Generated by OpenCVE AI on May 8, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PromptHub to version 0.5.4 or later, where the SSRF filter has been corrected.
  • If an upgrade is not immediately possible, disable the POST /api/skills/fetch-remote endpoint or remove its handler to stop external URL fetching until the patch can be applied.
  • Restrict the public registration setting by disabling ALLOW_REGISTRATION or limiting it to trusted users, so that only authenticated, vetted users can trigger the vulnerable endpoint.
  • Implement network controls such as firewall or VPC rules that block outbound traffic to internal addresses from the PromptHub instance, mitigating the impact of any remaining SSRF vulnerabilities.

Generated by OpenCVE AI on May 8, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn't the literal string "::1". Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true — a supported and documented configuration — this means any internet user who can register. This issue has been patched in version 0.5.4.
Title PromptHub: Authenticated SSRF via IPv6 filter bypass in `POST /api/skills/fetch-remote`
Weaknesses CWE-20
CWE-693
CWE-918
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T03:11:25.305Z

Reserved: 2026-04-26T11:53:27.705Z

Link: CVE-2026-42261

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T04:16:20.107

Modified: 2026-05-08T04:16:20.107

Link: CVE-2026-42261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T05:30:46Z

Weaknesses