CVE-2026-22664 Overview
CVE-2026-22664 is a Server-Side Request Forgery (SSRF) vulnerability in prompts.chat prior to commit 30a8f04. The vulnerability exists in the Fal.ai media status polling functionality and allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Due to a lack of URL validation, attackers can exploit this flaw to disclose the FAL_API_KEY in the Authorization header, enabling credential theft, internal network probing, and abuse of the victim's Fal.ai account.
Critical Impact
Authenticated attackers can steal API credentials and probe internal networks through unvalidated SSRF requests, potentially compromising the Fal.ai integration and enabling further lateral movement.
Affected Products
- prompts.chat prior to commit 30a8f04
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-22664 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-22664
Vulnerability Analysis
This SSRF vulnerability arises from improper input validation in the Fal.ai media status polling mechanism within prompts.chat. The application accepts user-controlled URLs in the token parameter without validating that the destination belongs to a trusted Fal.ai origin. When the application makes authenticated requests to poll media generation status, it includes the FAL_API_KEY in the Authorization header. An attacker who can manipulate the token parameter can redirect these authenticated requests to an attacker-controlled server, capturing the API key and any other sensitive headers.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery), which describes scenarios where a web application can be induced to make requests to unintended destinations. In this case, the lack of origin validation allows authenticated requests meant for Fal.ai's queue service to be redirected to arbitrary endpoints, exposing credentials and enabling internal network reconnaissance.
Root Cause
The root cause is the absence of URL validation before making authenticated HTTP requests. The vulnerable code accepted any URL provided in the token parameter and forwarded the request with the FAL_API_KEY attached, without verifying that the target URL belonged to legitimate Fal.ai domains (queue.fal.run or fal.run).
Attack Vector
The attack vector is network-based and requires low-privilege authentication. An attacker with valid credentials can supply a malicious URL in the token parameter during media status polling operations. When the application processes this request, it forwards the FAL_API_KEY to the attacker's server. This enables:
- Credential Theft: Capture of the FAL_API_KEY from the Authorization header
- Internal Network Probing: Scanning internal services accessible from the application server
- Account Abuse: Using stolen credentials to abuse the victim's Fal.ai account
The security patch introduces an allowlist-based URL validation function to prevent requests to untrusted origins:
const FAL_QUEUE_BASE = "https://queue.fal.run";
+const ALLOWED_FAL_HOSTS = new Set([
+ "queue.fal.run",
+ "fal.run",
+]);
+
+/**
+ * Validate that a URL points to a trusted Fal.ai origin.
+ *
+ * Prevents SSRF by ensuring user-controlled tokens cannot redirect
+ * authenticated requests to arbitrary servers.
+ */
+export function assertFalOrigin(url: string): void {
+ let parsed: URL;
+ try {
+ parsed = new URL(url);
+ } catch {
+ throw new Error("Invalid Fal.ai URL");
+ }
+ if (parsed.protocol !== "https:" || !ALLOWED_FAL_HOSTS.has(parsed.hostname)) {
+ throw new Error("Invalid Fal.ai URL: untrusted origin");
+ }
+}
+
function parseModels(envVar: string | undefined, type: "image" | "video" | "audio"): MediaGeneratorModel[] {
if (!envVar) return [];
return envVar
Source: GitHub Commit Reference
Detection Methods for CVE-2026-22664
Indicators of Compromise
- Unusual outbound HTTP requests from the prompts.chat application to non-Fal.ai domains
- Requests containing FAL_API_KEY authorization headers directed to external or internal IP addresses
- Log entries showing token parameters with URLs pointing to attacker-controlled servers or internal network addresses
- Unexpected usage patterns or charges on the associated Fal.ai account
Detection Strategies
- Monitor application egress traffic for requests to destinations outside the expected Fal.ai domains (queue.fal.run, fal.run)
- Implement alerting on HTTP requests containing sensitive headers being sent to non-allowlisted hosts
- Review application logs for token parameter values containing IP addresses, localhost references, or non-Fal.ai hostnames
- Configure web application firewalls to detect and block SSRF patterns in request parameters
Monitoring Recommendations
- Enable detailed logging for all outbound HTTP requests from the prompts.chat application
- Set up alerts for any FAL_API_KEY usage from unexpected IP addresses or for unusual API activity
- Implement network segmentation to limit the blast radius of SSRF exploitation
- Regularly audit Fal.ai account activity for signs of unauthorized access or credential abuse
How to Mitigate CVE-2026-22664
Immediate Actions Required
- Update prompts.chat to commit 30a8f04 or later which includes the SSRF fix
- Rotate the FAL_API_KEY immediately if exploitation is suspected
- Review logs for evidence of SSRF exploitation attempts
- Implement network-level controls to restrict outbound requests from the application server
Patch Information
The vulnerability has been addressed in commit 30a8f0470e0ba45e6be9c9f55220f4a9a6b91c99. The fix implements an allowlist-based URL validation function (assertFalOrigin) that ensures all Fal.ai media status polling requests are restricted to trusted origins (queue.fal.run and fal.run) using HTTPS only. For detailed patch information, see the GitHub Commit Reference and the VulnCheck SSRF Advisory.
Workarounds
- If immediate patching is not possible, implement network-level restrictions to only allow outbound requests to queue.fal.run and fal.run
- Deploy a reverse proxy or web application firewall rule to validate and sanitize token parameters before they reach the application
- Temporarily disable the Fal.ai media generation feature until the patch can be applied
- Restrict the FAL_API_KEY permissions to the minimum required scope to limit potential abuse
# Network-level mitigation: Allow only trusted Fal.ai domains
# Example iptables rules to restrict outbound connections
iptables -A OUTPUT -p tcp -d queue.fal.run --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -d fal.run --dport 443 -j ACCEPT
# Block other outbound HTTPS from the application (adjust as needed)
# iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner appuser -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
