CVE-2026-22664

Name of the Vulnerable Software and Affected Versions prompts.chat versions prior to commit 30a8f04

Description An issue in the Fal.ai media status polling feature allows authenticated users to perform arbitrary outbound requests. By supplying attacker-controlled URLs in the token parameter, the lack of URL validation can be exploited to disclose the FAL API KEY within the Authorization header. This can lead to credential theft, internal network probing, and unauthorized abuse of the victim's Fal.ai account. Server-side request forgery is a flaw where a server is tricked into making requests to an unintended location.

Recommendations Update prompts.chat to commit 30a8f04 or a later version. Avoid using the token parameter in the Fal.ai media status polling feature until the update is applied.