CVE-2026-3789: Bytedesk SSRF Vulnerability

CVE-2026-3789 Overview

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Bytedesk up to version 1.3.9. The vulnerability exists in the getModels function within the file source-code/src/main/java/com/bytedesk/ai/springai/providers/gitee/SpringAIGiteeRestService.java of the SpringAIGiteeRestController component. By manipulating the apiUrl argument, an attacker can force the server to make arbitrary requests to internal or external resources, potentially accessing sensitive data or internal services.

Critical Impact

Remote attackers with low privileges can exploit this SSRF vulnerability to access internal network resources, bypass security controls, and potentially pivot to other internal systems. The exploit is publicly available, increasing the risk of active exploitation.

Affected Products

• Bytedesk versions up to 1.3.9
• SpringAIGiteeRestController component
• SpringAIGiteeRestService class

Discovery Timeline

• 2026-03-09 - CVE CVE-2026-3789 published to NVD
• 2026-03-10 - Last updated in NVD database

Technical Details for CVE-2026-3789

Vulnerability Analysis

This SSRF vulnerability arises from insufficient validation of user-controlled input in the apiUrl parameter within the getModels function. The SpringAIGiteeRestService component processes external API URL requests without proper URI validation, allowing attackers to redirect server-side requests to arbitrary destinations. This can lead to unauthorized access to internal services, information disclosure from cloud metadata endpoints, or abuse of trust relationships between internal systems.

The vulnerability is remotely exploitable and requires only low-level authentication, making it accessible to authenticated users who can interact with the affected AI provider integration endpoint.

Root Cause

The root cause of CVE-2026-3789 is improper input validation of the apiUrl parameter in the SpringAIGiteeRestService.java file. The application fails to validate or sanitize the URL before making server-side HTTP requests, allowing attackers to specify arbitrary URLs including internal network addresses, localhost references, or cloud metadata services.

Attack Vector

The attack can be performed remotely over the network by an authenticated user. The attacker manipulates the apiUrl parameter in requests to the SpringAIGiteeRestController endpoint, causing the server to make requests to attacker-controlled or internal destinations. This can be used to:

• Access internal services not exposed to the internet
• Retrieve cloud instance metadata (e.g., AWS IMDSv1)
• Port scan internal networks
• Bypass firewall restrictions

The security patch introduces proper URI validation using java.net.URI to sanitize the input:

 */
package com.bytedesk.ai.springai.providers.gitee;

+import java.net.URI;
import java.util.List;
import java.util.Map;

Source: Bytedesk Commit Details

The fix adds proper URI parsing and validation to ensure that only legitimate external API endpoints can be accessed, preventing redirection to internal or malicious hosts.

Detection Methods for CVE-2026-3789

Indicators of Compromise

• Unusual outbound HTTP/HTTPS requests from the Bytedesk application server to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
• Requests to cloud metadata endpoints (e.g., 169.254.169.254) originating from the application
• Abnormal traffic patterns to the /springai/gitee or related AI provider endpoints with manipulated URL parameters
• Log entries showing the getModels function processing URLs pointing to internal resources

Detection Strategies

• Monitor application logs for requests containing suspicious apiUrl values targeting internal networks or localhost
• Implement network-level detection for outbound connections from web application servers to internal infrastructure
• Deploy Web Application Firewall (WAF) rules to detect SSRF patterns in request parameters
• Enable SentinelOne's behavioral AI to detect anomalous network connections from application processes

Monitoring Recommendations

• Configure alerting for DNS queries to internal hostnames or IP addresses from the Bytedesk application
• Monitor for requests to common cloud metadata endpoints (169.254.169.254, metadata.google.internal)
• Track authentication patterns for users interacting with the affected SpringAI endpoints
• Review access logs for repeated requests with varying URL patterns indicating probing behavior

How to Mitigate CVE-2026-3789

Immediate Actions Required

• Upgrade Bytedesk to version 1.4.5.4 or later immediately
• If immediate upgrade is not possible, disable or restrict access to the SpringAIGiteeRestController endpoint
• Implement network-level controls to prevent the application server from making requests to internal networks
• Review access logs for any evidence of prior exploitation attempts

Patch Information

The vulnerability has been addressed in Bytedesk version 1.4.5.4. The fix is identified by commit hash 975e39e4dd527596987559f56c5f9f973f64eff7. Organizations should upgrade to this version or later to remediate the vulnerability. The patch can be reviewed at the Bytedesk Commit Details and the new release is available at Bytedesk Release v1.4.5.4.

Workarounds

• Implement an allowlist of permitted external API domains for the SpringAI provider integrations
• Deploy network segmentation to prevent the application server from accessing internal resources
• Use a forward proxy with URL filtering to control outbound requests from the application
• Temporarily disable the Gitee AI provider integration until the patch can be applied

# Example: Network-level mitigation using iptables to block internal network access
# Block outbound connections to internal networks from the application server
iptables -A OUTPUT -m owner --uid-owner bytedesk -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner bytedesk -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner bytedesk -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner bytedesk -d 169.254.169.254 -j DROP