CVE-2026-25738

Name of the Vulnerable Software and Affected Versions Indico versions prior to 3.3.10

Description Indico, an event management system, is susceptible to server-side request forgery (SSRF). The system makes outgoing requests to URLs provided by users. While this functionality is intentional, it could allow access to sensitive targets like localhost or cloud metadata endpoints. The risk is limited to event organizers who can access endpoints where SSRF could be used to view returned data. Users hosted on AWS without authentication for sensitive data are less affected.

Recommendations Versions prior to 3.3.10 should be upgraded to version 3.3.10. As a preventative measure, set the http proxy and https proxy environment variables on both the indico-uwsgi and indico-celery services to force outgoing requests through a limiting proxy.