CVE-2026-42181

Name of the Vulnerable Software and Affected Versions Lemmy versions prior to 0.19.18

Description Lemmy fetches metadata for user-supplied post URLs and, when using the default StoreLinkPreviews image mode, downloads preview images via local pict-rs. While the initial top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to this restriction. This allows an authenticated low-privileged user to submit a public page where the Open Graph image points to an internal image endpoint. The server will then fetch the internal image and store a local thumbnail that can be served back to users. This process involves the extract opengraph data() function accepting absolute values and generate post link metadata() passing the URL to generate pictrs thumbnail(), which requests the image through the 'image/download?url=...' endpoint. This can be used to retrieve internal image resources and expose content reachable only from the application host.

Recommendations Update to version 0.19.18.