PT-2026-60507 · Unknown · Text-Generation-Inference

·

CVE-2026-63086

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

8.6

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions text-generation-inference versions prior to 3.3.8
Description A server-side request forgery (SSRF) issue exists in the OpenAI-compatible multimodal chat completions endpoint. Unauthenticated network attackers can force the server to issue arbitrary HTTP GET requests by providing a crafted image url value within the chat message content. This occurs because the fetch image() function in router/src/validation.rs does not validate private, loopback, link-local, or cloud metadata target addresses. Additionally, the reqwest HTTP client follows redirects by default, allowing attackers to bypass scheme checks through redirect chains to access internal services and cloud instance-metadata endpoints for internal port scanning and credential theft. Real-world incidents of this issue being exploited have been reported.
Recommendations Update text-generation-inference to version 3.3.8 or later. As a temporary mitigation, restrict access to the OpenAI-compatible multimodal chat completions endpoint or avoid using the image url parameter until the update is applied.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-63086

Affected Products

Text-Generation-Inference