CVE-2026-3789 Overview
CVE-2026-3789 is a Server-Side Request Forgery (SSRF) vulnerability affecting Bytedesk versions up to 1.3.9. The flaw resides in the getModels function within source-code/src/main/java/com/bytedesk/ai/springai/providers/gitee/SpringAIGiteeRestService.java, part of the SpringAIGiteeRestController component. Attackers can manipulate the apiUrl argument to coerce the server into issuing arbitrary outbound HTTP requests. The vulnerability is remotely exploitable and the exploit details have been disclosed publicly. The issue is tracked under CWE-918 and resolved in version 1.4.5.4.
Critical Impact
Authenticated remote attackers can abuse the SSRF flaw to probe internal networks, access metadata services, or interact with backend systems otherwise unreachable from the public internet.
Affected Products
- Bytedesk versions up to and including 1.3.9
- Component: SpringAIGiteeRestController
- Fixed version: Bytedesk 1.4.5.4
Discovery Timeline
- 2026-03-09 - CVE-2026-3789 published to NVD
- 2026-04-29 - Last updated in NVD database
- Patch commit - 975e39e4dd527596987559f56c5f9f973f64eff7 applied in the Bytedesk GitHub repository
Technical Details for CVE-2026-3789
Vulnerability Analysis
The vulnerability stems from unsafe handling of the apiUrl parameter inside the getModels function of SpringAIGiteeRestService.java. The Bytedesk AI provider integration accepts a user-controlled URL and uses it as the destination for an outbound HTTP request without validating its scheme, host, or network destination. This pattern qualifies as a classic Server-Side Request Forgery [CWE-918].
Because the request is issued from the Bytedesk server, an attacker can pivot the application's network position. Targets include internal HTTP services, cloud instance metadata endpoints such as 169.254.169.254, and adjacent infrastructure that is not exposed to the internet. The CVE record indicates that exploitation requires low privileges and no user interaction.
Root Cause
The root cause is missing allow-list validation on the apiUrl parameter passed to the Gitee model-listing endpoint. The service component directly forwards the attacker-supplied URL to its HTTP client, treating an external configuration value as a trusted destination. No filtering for private IP ranges, link-local addresses, or non-HTTP schemes is performed before the request is dispatched.
Attack Vector
Exploitation occurs over the network against the SpringAIGiteeRestController endpoint. An authenticated attacker submits a crafted request that sets apiUrl to an internal address or sensitive backend URL. The Bytedesk server then issues the request and may return response data, headers, or timing information to the attacker. Public disclosure of the exploit on VulDB #349756 increases the likelihood of opportunistic exploitation.
No verified proof-of-concept code is available in the referenced sources. Refer to the Bytedesk issue discussion for technical context.
Detection Methods for CVE-2026-3789
Indicators of Compromise
- Outbound HTTP requests from the Bytedesk application server to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or link-local addresses such as 169.254.169.254.
- Application log entries showing calls to getModels with non-Gitee hostnames in the apiUrl parameter.
- Unexpected DNS lookups from the Bytedesk host targeting internal-only domains.
Detection Strategies
- Inspect Bytedesk request logs for the SpringAIGiteeRestController endpoint and flag any apiUrl value whose host does not match the expected Gitee API domain.
- Deploy egress filtering rules and alert on outbound traffic from the Bytedesk service account to internal subnets or cloud metadata endpoints.
- Correlate web application firewall (WAF) logs with backend HTTP client activity to identify request fan-out triggered by a single inbound request.
Monitoring Recommendations
- Ingest Bytedesk application logs and HTTP egress telemetry into a centralized log platform for correlation against SSRF heuristics.
- Monitor cloud instance metadata service access patterns and alert on any request originating from the Bytedesk workload.
- Track installed Bytedesk versions across the environment and flag any host running a release below 1.4.5.4.
How to Mitigate CVE-2026-3789
Immediate Actions Required
- Upgrade Bytedesk to version 1.4.5.4 or later using the v1.4.5.4 release.
- Restrict outbound network access from the Bytedesk host to only the external API endpoints required for normal operation.
- Audit existing AI provider configurations for unexpected apiUrl values introduced before patching.
Patch Information
The maintainers addressed the issue in commit 975e39e4dd527596987559f56c5f9f973f64eff7, included in release 1.4.5.4. Review the Bytedesk commit changes for the exact validation logic applied to the apiUrl parameter.
Workarounds
- Apply network-layer egress filtering that blocks the Bytedesk service from reaching private IP ranges and the cloud metadata IP 169.254.169.254.
- Place the Bytedesk service behind an authenticated outbound proxy that enforces an allow-list of permitted destination domains.
- Limit access to the SpringAIGiteeRestController endpoint to trusted administrative users until the upgrade is completed.
# Example iptables egress restriction for the Bytedesk host
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
