CVE-2026-42181: CWE-918: Server-Side Request Forgery (SSRF) in LemmyNet lemmy
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.
AI Analysis
Technical Summary
Lemmy, a federated link aggregator and forum software, had an SSRF vulnerability (CWE-918) in versions before 0.19.18. The vulnerability arises because Lemmy fetches preview images from URLs specified in the Open Graph metadata of user-submitted posts without validating these image URLs against internal IP ranges. Although the top-level page URL is validated, the extracted og:image URL is not, enabling an authenticated user with low privileges to submit a public page whose Open Graph image points to an internal endpoint. Lemmy then fetches this internal image server-side and stores a local thumbnail, potentially exposing internal network resources. This vulnerability is addressed by the patch in version 0.19.18.
Potential Impact
An authenticated low-privileged user can exploit this SSRF vulnerability to make Lemmy fetch internal network resources by submitting posts with crafted Open Graph image URLs. This can lead to unauthorized internal resource access or information disclosure. The CVSS score is 6.5 (medium severity) with high confidentiality impact but no integrity or availability impact. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in Lemmy version 0.19.18. Users should upgrade to version 0.19.18 or later to remediate this issue. Since this is not a cloud service, remediation requires applying the official patch. Patch status is not explicitly stated beyond the version fix, so verify with the vendor advisory for the latest guidance.
CVE-2026-42181: CWE-918: Server-Side Request Forgery (SSRF) in LemmyNet lemmy
Description
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Lemmy, a federated link aggregator and forum software, had an SSRF vulnerability (CWE-918) in versions before 0.19.18. The vulnerability arises because Lemmy fetches preview images from URLs specified in the Open Graph metadata of user-submitted posts without validating these image URLs against internal IP ranges. Although the top-level page URL is validated, the extracted og:image URL is not, enabling an authenticated user with low privileges to submit a public page whose Open Graph image points to an internal endpoint. Lemmy then fetches this internal image server-side and stores a local thumbnail, potentially exposing internal network resources. This vulnerability is addressed by the patch in version 0.19.18.
Potential Impact
An authenticated low-privileged user can exploit this SSRF vulnerability to make Lemmy fetch internal network resources by submitting posts with crafted Open Graph image URLs. This can lead to unauthorized internal resource access or information disclosure. The CVSS score is 6.5 (medium severity) with high confidentiality impact but no integrity or availability impact. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in Lemmy version 0.19.18. Users should upgrade to version 0.19.18 or later to remediate this issue. Since this is not a cloud service, remediation requires applying the official patch. Patch status is not explicitly stated beyond the version fix, so verify with the vendor advisory for the latest guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T01:53:21.582Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe4242cbff5d8610241d71
Added to database: 5/8/2026, 8:06:26 PM
Last enriched: 5/8/2026, 8:21:51 PM
Last updated: 5/9/2026, 1:59:22 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.