CVE-2026-29178

Name of the Vulnerable Software and Affected Versions Lemmy versions prior to 0.19.16

Description Lemmy, a link aggregator and forum, contains a server-side request forgery (SSRF) issue. The GET /api/v4/image/{filename} endpoint is susceptible to unauthenticated SSRF due to parameter injection in the file type query parameter. An attacker can inject arbitrary query parameters into an internal request to pict-rs, including the proxy parameter, causing pict-rs to fetch arbitrary URLs. The vulnerable code resides in crates/routes/src/images/download.rs, lines 17-40, within the get image function. The file type parameter is directly interpolated into the URL string without validation. This allows an attacker to construct a malicious URL using the proxy parameter to access internal services or cloud metadata. The issue allows an attacker to access cloud metadata services, scan internal services on the Docker network, and bypass the RemoteImage::validate() check.

Recommendations Versions prior to 0.19.16 should be updated to version 0.19.16 or later. Validate the file type parameter to only allow alphanumeric characters.