CVE-2026-3788 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Bytedesk versions up to 1.3.9. This security flaw affects the getModels function within the SpringAIOpenrouterRestService.java file, which is part of the SpringAIOpenrouterRestController component. Attackers can exploit this vulnerability by manipulating the apiUrl argument, enabling them to make arbitrary server-side HTTP requests to internal or external resources.
Critical Impact
Authenticated attackers can leverage this SSRF vulnerability to access internal services, bypass firewall restrictions, and potentially exfiltrate sensitive data from backend systems that should not be externally accessible.
Affected Products
- Bytedesk versions up to and including 1.3.9
- SpringAI OpenRouter integration component
- Systems utilizing SpringAIOpenrouterRestController
Discovery Timeline
- March 9, 2026 - CVE-2026-3788 published to NVD
- March 10, 2026 - Last updated in NVD database
Technical Details for CVE-2026-3788
Vulnerability Analysis
This SSRF vulnerability exists in the Bytedesk AI integration component, specifically within the Spring AI OpenRouter REST service implementation. The vulnerable function getModels accepts an apiUrl parameter that is used to construct server-side HTTP requests without adequate validation or sanitization. This allows authenticated users to redirect requests to arbitrary destinations, including internal network resources, cloud metadata services, and other restricted endpoints.
The vulnerability is exploitable remotely over the network and requires low-level privileges (authenticated user access). The exploit has been publicly disclosed, increasing the risk of active exploitation attempts against unpatched systems.
Root Cause
The root cause of this vulnerability is improper input validation in the apiUrl parameter handling within the SpringAIOpenrouterRestService.java file located at source-code/src/main/java/com/bytedesk/ai/springai/providers/openrouter/SpringAIOpenrouterRestService.java. The application fails to implement adequate URL allowlisting or validation mechanisms, permitting user-controlled input to directly influence server-side HTTP request destinations.
Attack Vector
The attack is launched remotely via network access to the vulnerable endpoint. An authenticated attacker can manipulate the apiUrl argument passed to the getModels function to target internal services. Common attack scenarios include:
- Accessing cloud metadata services (e.g., AWS IMDSv1 at http://169.254.169.254/)
- Scanning internal network infrastructure
- Accessing localhost services and administrative interfaces
- Bypassing firewall rules to reach otherwise restricted endpoints
The vulnerability mechanism centers on insufficient URL validation in the SpringAI OpenRouter service. When processing API requests, the service accepts user-supplied URLs without proper sanitization, allowing attackers to redirect outbound requests to arbitrary destinations. For technical implementation details, refer to the Bytedesk Issue Discussion and the security patch commit.
Detection Methods for CVE-2026-3788
Indicators of Compromise
- Unusual outbound HTTP requests from the Bytedesk application server to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- HTTP requests to cloud metadata endpoints such as 169.254.169.254
- Anomalous traffic patterns from the SpringAI OpenRouter service component
- Log entries showing API calls with suspicious apiUrl parameter values targeting localhost or internal services
Detection Strategies
- Monitor application logs for SpringAIOpenrouterRestController endpoint access with atypical URL patterns in the apiUrl parameter
- Implement network-level monitoring for outbound requests from application servers to internal network segments
- Deploy web application firewall (WAF) rules to detect and block SSRF payload patterns
- Review authentication logs for accounts making unusual API requests to the affected endpoint
Monitoring Recommendations
- Enable detailed logging for all requests to the SpringAI OpenRouter REST endpoints
- Set up alerts for outbound connections to RFC 1918 private IP addresses from the application server
- Monitor DNS queries from the Bytedesk application for suspicious domain lookups
- Implement egress traffic analysis to detect data exfiltration attempts
How to Mitigate CVE-2026-3788
Immediate Actions Required
- Upgrade Bytedesk to version 1.4.5.4 or later immediately
- If immediate upgrade is not possible, disable or restrict access to the SpringAI OpenRouter integration endpoints
- Implement network segmentation to limit the impact of potential SSRF exploitation
- Review access logs for signs of exploitation attempts
Patch Information
The vulnerability has been addressed in Bytedesk version 1.4.5.4. The security patch is identified by commit hash 975e39e4dd527596987559f56c5f9f973f64eff7. Organizations running affected versions should upgrade immediately using the official release available at the Bytedesk v1.4.5.4 Release.
For patch details and the specific code changes, review the commit on GitHub.
Workarounds
- Implement URL allowlisting at the application or WAF level to restrict the domains that can be specified in apiUrl
- Deploy network-level controls to prevent the application server from accessing internal resources
- Temporarily disable the SpringAI OpenRouter functionality if not required for business operations
- Implement egress firewall rules to restrict outbound connections from the Bytedesk application server
# Example: Restrict egress traffic from Bytedesk application server
# Block access to internal networks and cloud metadata services
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
