CVE-2026-4964 is a server-side request forgery (SSRF) vulnerability identified in the open-source AI product letta-ai letta, version 0.16.4. The flaw exists in the _convert_message_create_to_message function located in the letta/helpers/message_helper.py file, specifically within the File URL Handler component. The vulnerability is triggered by manipulation of the ImageContent argument, which is intended to handle file URLs. Due to insufficient validation or sanitization of this input, an attacker can craft malicious requests that cause the server to initiate arbitrary HTTP requests to internal or external network resources. This can lead to unauthorized access to internal services, bypassing firewalls or network segmentation, potentially exposing sensitive data or enabling further attacks such as internal reconnaissance or exploitation of other vulnerabilities. The vulnerability can be exploited remotely without requiring authentication or user interaction, increasing the attack surface. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although the vendor was contacted early, no patch or response has been provided, and no known exploits are currently observed in the wild. The public disclosure of the exploit code increases the risk of opportunistic attacks. Given the nature of SSRF, attackers could leverage this vulnerability to pivot within an organization's internal network, access metadata services, or exfiltrate data. The vulnerability affects only version 0.16.4 of letta, so users of other versions or products are not impacted. The lack of vendor response and patch availability necessitates immediate defensive actions by users and administrators.

The primary impact of CVE-2026-4964 is the potential for attackers to perform unauthorized server-side requests, which can lead to several security issues. Organizations running letta 0.16.4 could face internal network reconnaissance, exposure of sensitive internal endpoints, and possible data leakage. This SSRF vulnerability can be exploited to bypass network access controls, potentially allowing attackers to reach internal services that are otherwise inaccessible from the internet. This could facilitate lateral movement within the network, escalation of privileges, or exploitation of other vulnerabilities in internal systems. The partial impact on confidentiality, integrity, and availability means attackers might read sensitive data, alter some data or system behavior, or cause limited service disruption. Since exploitation does not require authentication or user interaction, the risk of automated or widespread attacks is higher once exploit code is publicly available. The absence of a vendor patch increases the window of exposure. Organizations relying on letta for AI or automation tasks may experience operational risks and reputational damage if exploited. However, the medium severity rating reflects that the vulnerability requires some level of access (low privileges) and has limited impact scope compared to critical SSRF vulnerabilities that fully compromise systems.

To mitigate CVE-2026-4964 effectively, organizations should implement the following specific measures: 1) Immediately audit and restrict the usage of the _convert_message_create_to_message function, especially its handling of the ImageContent argument, to prevent processing untrusted URLs. 2) Disable or block external URL fetching in letta where possible, or whitelist only trusted domains and IP ranges to limit SSRF attack vectors. 3) Implement strict input validation and sanitization on all user-supplied inputs that influence URL requests, ensuring that only safe and expected formats are accepted. 4) Employ network-level controls such as firewall rules or egress filtering to prevent the application server from making unauthorized outbound requests to internal or sensitive network segments. 5) Monitor application logs and network traffic for unusual or unexpected outbound requests originating from letta instances. 6) If feasible, isolate the letta application in a segmented network environment with minimal privileges to reduce potential lateral movement. 7) Stay alert for vendor updates or community patches addressing this vulnerability and plan for timely application once available. 8) Consider alternative versions or forks of letta that do not contain this vulnerability if immediate patching is not possible. 9) Conduct penetration testing and vulnerability scanning focused on SSRF to detect any exploitation attempts. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable function and the nature of the SSRF attack vector.