CVE-2026-22662 Overview
CVE-2026-22662 is a blind Server-Side Request Forgery (SSRF) vulnerability in prompts.chat prior to commit 1464475. The flaw resides in the Wiro media generator and accepts an attacker-controlled inputImageUrl parameter through the /api/media-generate endpoint. Authenticated users can coerce the backend into issuing HTTP requests toward arbitrary destinations, including internal services unreachable from the public internet. The issue is tracked as CWE-918: Server-Side Request Forgery.
Critical Impact
Authenticated attackers can probe internal networks, enumerate internal services, and exfiltrate data through the upstream Wiro service without observing direct response bodies.
Affected Products
- fka/prompts.chat versions prior to commit 1464475df2698fb7ccd0cdbc382b0750466f891d
- Deployments exposing the /api/media-generate endpoint with Wiro integration enabled
- Self-hosted instances running the vulnerable Wiro media generator handler
Discovery Timeline
- 2026-04-03 - CVE-2026-22662 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-22662
Vulnerability Analysis
The vulnerability exists in the Wiro media generator handler exposed at /api/media-generate. The handler accepts a JSON POST body containing an inputImageUrl parameter and forwards that URL to the upstream Wiro service for fetching. The application does not validate the scheme, host, or address class of the supplied URL. Authenticated users can therefore submit URLs targeting internal hostnames, loopback interfaces, cloud metadata endpoints, or private RFC1918 ranges.
Because the response body from the upstream fetch is not returned directly to the caller, exploitation operates as a blind SSRF. Attackers infer information from response timing, status differentials, and side effects observed in the upstream Wiro pipeline. Data exfiltration is achievable by chaining the fetch through Wiro, where internal content can transit a third-party service controlled outside the victim's perimeter.
Root Cause
The root cause is missing input validation on the inputImageUrl parameter inside the media generation route. The code accepts any user-supplied URL and passes it to the outbound HTTP client without enforcing an allowlist of permitted hosts, blocking private address ranges, or restricting the URL scheme to https.
Attack Vector
An authenticated user sends a POST request to /api/media-generate with a crafted inputImageUrl pointing to an internal resource such as http://169.254.169.254/latest/meta-data/ or http://127.0.0.1:8080/admin. The server forwards the URL through the Wiro integration, which performs the fetch from network positions inaccessible to the original client. Repeated probes map internal services and infrastructure.
No verified public exploit code is available. See the VulnCheck Security Advisory for the disclosed technical analysis.
Detection Methods for CVE-2026-22662
Indicators of Compromise
- POST requests to /api/media-generate containing inputImageUrl values that resolve to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or loopback addresses
- Requests where inputImageUrl references cloud metadata services such as 169.254.169.254 or metadata.google.internal
- Outbound traffic from the upstream Wiro service targeting internal hostnames belonging to the deployment environment
Detection Strategies
- Parse application logs for /api/media-generate requests and extract the inputImageUrl field for analysis against a denylist of internal address ranges
- Correlate authenticated session activity with anomalous URL parameters containing non-standard schemes (file://, gopher://, dict://) or unusual ports
- Monitor for high-volume requests to the media generation endpoint from a single account, indicative of internal network scanning
Monitoring Recommendations
- Enable structured logging on the /api/media-generate route to capture all inputImageUrl values and originating account identifiers
- Forward web application logs and egress proxy telemetry to a centralized analytics platform for retrospective hunting
- Alert on DNS resolutions of internal hostnames originating from the upstream Wiro integration callback
How to Mitigate CVE-2026-22662
Immediate Actions Required
- Update prompts.chat to a build that includes commit 1464475 or later
- Audit access logs for /api/media-generate requests containing internal IP addresses or metadata service hostnames in the inputImageUrl parameter
- Restrict access to the media generation endpoint to trusted authenticated users until the patch is applied
Patch Information
The fix is delivered in commit 1464475df2698fb7ccd0cdbc382b0750466f891d of the f/prompts.chat repository, merged through pull request #1102. The patch introduces validation on the inputImageUrl parameter to reject internal and non-HTTP(S) targets before they reach the upstream fetch.
Workarounds
- Place the application behind an egress proxy that blocks outbound connections to RFC1918 ranges, loopback, and link-local addresses including 169.254.169.254
- Implement a reverse proxy or Web Application Firewall (WAF) rule that inspects POST bodies sent to /api/media-generate and rejects requests with internal hostnames in inputImageUrl
- Disable the Wiro media generator integration in deployments that do not require AI image generation functionality
# Example egress restriction using iptables to block SSRF targets
iptables -A OUTPUT -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -d 169.254.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.


