CVE-2026-29178 is a Server-Side Request Forgery (SSRF) vulnerability identified in Lemmy, a federated link aggregator and forum software. The vulnerability arises from Lemmy's dependency on the Rust-based activitypub_federation framework and its interaction with pict-rs, an image proxy service. Specifically, the GET /api/v4/image/{filename} endpoint accepts a file_type query parameter that is improperly sanitized, allowing attackers to inject arbitrary query parameters into internal requests made to pict-rs. Among these parameters is the proxy parameter, which instructs pict-rs to fetch arbitrary URLs. Because this endpoint is unauthenticated, an attacker can exploit this SSRF flaw remotely without any credentials or user interaction. The SSRF can be leveraged to access internal network resources, potentially bypassing firewall restrictions, or to cause denial of service by forcing the server to make numerous or malicious requests. The vulnerability affects all Lemmy versions prior to 0.19.16, where the issue has been patched. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, with high impact on integrity but no impact on confidentiality or availability. No known exploits have been reported in the wild as of the publication date. The root cause is insufficient input validation and unsafe parameter forwarding to an internal proxy service.

The SSRF vulnerability in Lemmy can have significant impacts on organizations running vulnerable instances, especially those exposing the affected endpoint to the internet. Attackers can exploit this flaw to make arbitrary HTTP requests from the Lemmy server, potentially accessing internal services that are otherwise inaccessible externally, such as internal APIs, metadata services in cloud environments, or administrative interfaces. This can lead to information disclosure, unauthorized internal network reconnaissance, and lateral movement within the network. Additionally, attackers could use the SSRF to perform denial of service attacks by overwhelming internal or external resources. Since Lemmy is a federated platform used by communities worldwide, exploitation could disrupt communication and content sharing. The unauthenticated nature of the vulnerability increases the risk, as no credentials are needed to exploit it. Although no active exploitation has been reported, the high CVSS score and ease of exploitation make it a critical risk for organizations relying on Lemmy for federated social networking.

The primary mitigation is to upgrade Lemmy to version 0.19.16 or later, where the SSRF vulnerability has been patched. Organizations should prioritize this update to eliminate the unsafe parameter injection. Additionally, administrators should implement network-level controls to restrict outbound HTTP requests from the Lemmy server to only trusted destinations, reducing the impact of potential SSRF exploitation. Employing web application firewalls (WAFs) with rules to detect and block suspicious query parameter patterns targeting the /api/v4/image/ endpoint can provide an additional layer of defense. Monitoring server logs for unusual outbound requests or spikes in traffic to internal services can help detect exploitation attempts. If upgrading immediately is not feasible, temporarily disabling or restricting access to the vulnerable endpoint can reduce exposure. Finally, conducting internal network segmentation and limiting the Lemmy server's access to sensitive internal resources will minimize the potential damage from SSRF attacks.