CVE-2026-25883: CWE-918: Server-Side Request Forgery (SSRF) in Vexa-ai vexa
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on the webhook URL, enabling Server-Side Request Forgery (SSRF). An authenticated attacker can set their webhook URL to target internal services (Redis, databases, admin panels), cloud metadata endpoints (AWS/GCP credential theft), and/or localhost services. Version 0.10.0-260419-1910 patches the issue.
AI Analysis
Technical Summary
Vexa, an open-source meeting bot API, contains an SSRF vulnerability (CWE-918) in its webhook feature before version 0.10.0-260419-1910. Authenticated users can specify arbitrary webhook URLs without validation, allowing the server to send HTTP POST requests to attacker-controlled or internal endpoints. This can be leveraged to access internal services such as Redis, databases, admin panels, or cloud metadata services (e.g., AWS/GCP credentials). The vulnerability is fixed in version 0.10.0-260419-1910. The CVSS 3.1 base score is 5.8, indicating medium severity. The product is cloud-hosted, and the vendor is responsible for patching the service.
Potential Impact
An authenticated attacker can exploit this SSRF vulnerability to cause the Vexa server to send HTTP POST requests to arbitrary internal or cloud metadata endpoints. This may lead to unauthorized access to internal services, exposure of cloud credentials, or interaction with localhost services. There is no indication of direct data integrity or availability impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch is available in Vexa version 0.10.0-260419-1910 that addresses this SSRF vulnerability by validating webhook URLs. Since Vexa is a cloud-hosted service, the vendor manages remediation server-side. Users should ensure they are running the patched version or confirm with the vendor that the service is updated. No additional mitigation actions are indicated by the vendor advisory.
CVE-2026-25883: CWE-918: Server-Side Request Forgery (SSRF) in Vexa-ai vexa
Description
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on the webhook URL, enabling Server-Side Request Forgery (SSRF). An authenticated attacker can set their webhook URL to target internal services (Redis, databases, admin panels), cloud metadata endpoints (AWS/GCP credential theft), and/or localhost services. Version 0.10.0-260419-1910 patches the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Vexa, an open-source meeting bot API, contains an SSRF vulnerability (CWE-918) in its webhook feature before version 0.10.0-260419-1910. Authenticated users can specify arbitrary webhook URLs without validation, allowing the server to send HTTP POST requests to attacker-controlled or internal endpoints. This can be leveraged to access internal services such as Redis, databases, admin panels, or cloud metadata services (e.g., AWS/GCP credentials). The vulnerability is fixed in version 0.10.0-260419-1910. The CVSS 3.1 base score is 5.8, indicating medium severity. The product is cloud-hosted, and the vendor is responsible for patching the service.
Potential Impact
An authenticated attacker can exploit this SSRF vulnerability to cause the Vexa server to send HTTP POST requests to arbitrary internal or cloud metadata endpoints. This may lead to unauthorized access to internal services, exposure of cloud credentials, or interaction with localhost services. There is no indication of direct data integrity or availability impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch is available in Vexa version 0.10.0-260419-1910 that addresses this SSRF vulnerability by validating webhook URLs. Since Vexa is a cloud-hosted service, the vendor manages remediation server-side. Users should ensure they are running the patched version or confirm with the vendor that the service is updated. No additional mitigation actions are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-06T21:08:39.129Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69e6514819fe3cd2cd0f546a
Added to database: 4/20/2026, 4:16:08 PM
Last enriched: 4/20/2026, 4:31:33 PM
Last updated: 4/20/2026, 5:27:57 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.