Description
aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for example through a local network, DNS, or proxy compromise, challenge handling requests could be sent outside the intended Instagram host with the client's existing session headers. Version 0.9.10 validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms.
Published: 2026-06-11
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

aiograpi versions before 0.9.10 do not validate the paths provided by server‑supplied signup challenges. An attacker who can influence the challenge response—through a compromised local network, DNS spoofing, or proxy manipulation—can craft a path that points to an arbitrary host. The library then builds a request URL with this unvalidated path and sends it with the victim’s session headers, allowing the attacker to send arbitrary requests to any destination the client can reach.

Affected Systems

The issue affects the aiograpi Python library distributed by subzeroid. All releases prior to 0.9.10 are vulnerable. Version 0.9.10 and later incorporate input validation that prevents the construction of URLs from untrusted challenge paths.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. Although EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, the flaw requires the attacker to control a challenge response, which is feasible via local network or DNS compromise. Once that prerequisite is met, the attacker can perform SSRF attacks that may exfiltrate session data or reach internal services.

Generated by OpenCVE AI on June 11, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiograpi to version 0.9.10 or newer, which validates challenge paths before constructing URLs
  • If upgrading is not immediately possible, restrict outbound traffic from the application so that only the official Instagram host is reachable, blocking requests to other domains
  • As a temporary measure, alter the application logic to avoid using local challenge responses or enforce a whitelist of permissible challenge URLs

Generated by OpenCVE AI on June 11, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jh37-x3fv-4x72 aiograpi: Unsafe signup challenge path handling
History

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for example through a local network, DNS, or proxy compromise, challenge handling requests could be sent outside the intended Instagram host with the client's existing session headers. Version 0.9.10 validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms.
Title aiograpi: Unsafe signup challenge path handling
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T19:18:09.100Z

Reserved: 2026-05-18T21:25:34.496Z

Link: CVE-2026-47157

cve-icon Vulnrichment

Updated: 2026-06-11T19:17:40.449Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T18:16:26.237

Modified: 2026-06-11T21:02:34.917

Link: CVE-2026-47157

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T20:30:28Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)