Description
A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is named 54f8f50f43af97c334a881af7b021e84b5b8310f. It is suggested to install a patch to address this issue.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Patch Now
AI Analysis

Impact

The flaw in the server.js API Proxy Endpoint of the openai‑realtime‑ui allows an attacker to manipulate a query argument, causing the server to issue outbound requests to arbitrary URLs. This server‑side request forgery can expose internal resources, pull confidential data, or initiate further attacks by connecting the application to malicious services. The impact includes potential confidentiality and integrity compromise of internal systems, and may also lead to availability issues if the server is overwhelmed.

Affected Systems

Any installation of bigsk1's openai‑realtime‑ui that includes the affected component up to commit 188ccde27fdf3d8fab8da81f3893468f53b2797c is vulnerable. Because the project uses continuous delivery with rolling releases, no specific version numbers are published. The flaw remains until the patch commit 54f8f50f43af97c334a881af7b021e84b5b8310f is applied.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating medium severity. The exploit is remote, publicly available, and has been released, which makes it realistic for adversaries to exploit. The EPSS score is not available and the issue is not listed in the CISA KEV catalog. Exploitation requires only a crafted query to the API Proxy Endpoint, making the attack vector trivial for attackers who can reach the exposed service.

Generated by OpenCVE AI on April 8, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply patch commit 54f8f50f43af97c334a881af7b021e84b5b8310f to the openai‑realtime‑ui repository

Generated by OpenCVE AI on April 8, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Bigsk1
Bigsk1 openai-realtime-ui
Vendors & Products Bigsk1
Bigsk1 openai-realtime-ui

Wed, 08 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is named 54f8f50f43af97c334a881af7b021e84b5b8310f. It is suggested to install a patch to address this issue.
Title bigsk1 openai-realtime-ui API Proxy Endpoint server.js server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bigsk1 Openai-realtime-ui
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-09T13:51:23.252Z

Reserved: 2026-04-08T14:37:04.019Z

Link: CVE-2026-5803

cve-icon Vulnrichment

Updated: 2026-04-09T13:51:19.964Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T21:17:01.977

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-5803

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:24Z

Weaknesses