CVE-2026-3789

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Bytedesk versions up to 1.3.9

Description A server-side request forgery condition exists in the getModels function within the SpringAIGiteeRestController component of Bytedesk. Manipulation of the apiUrl argument can lead to server-side request forgery. Exploitation of this issue is possible remotely and an exploit is publicly available. The vulnerable code is located in the file source-code/src/main/java/com/bytedesk/ai/springai/providers/gitee/SpringAIGiteeRestService.java.

Recommendations Upgrade to version 1.4.5.4 or later.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2026-3789

Affected Products

Bytedesk

CVE-2026-3789

Weakness Enumeration

Related Identifiers

Affected Products

References · 17