CVE-2026-5633 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in assafelovic gpt-researcher versions up to 3.4.3. The vulnerability exists in an unknown function of the WebSocket (ws) endpoint component, where improper validation of the source_urls argument allows attackers to manipulate the parameter and force the server to make requests to arbitrary destinations. This vulnerability can be exploited remotely without authentication, enabling attackers to potentially access internal services, scan internal networks, or exfiltrate sensitive data.
Critical Impact
Remote attackers can exploit this SSRF vulnerability to bypass network security controls, access internal services, and potentially pivot to other systems within the target infrastructure.
Affected Products
- assafelovic gpt-researcher up to version 3.4.3
Discovery Timeline
- 2026-04-06 - CVE-2026-5633 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-5633
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The flaw resides in the WebSocket endpoint component of gpt-researcher, specifically in how the application processes the source_urls argument. When user-supplied URLs are not properly validated before being used in server-side HTTP requests, attackers can manipulate these URLs to target internal resources, cloud metadata services, or other sensitive endpoints that would normally be inaccessible from the public internet.
The SSRF vulnerability allows attackers to abuse the server's trust relationships and network position. Since gpt-researcher is designed to fetch and analyze web content for research purposes, the source_urls parameter is a natural attack surface for SSRF when input validation is insufficient.
Root Cause
The root cause of this vulnerability is insufficient input validation and sanitization of user-supplied URLs in the source_urls argument. The application fails to implement proper URL allowlisting or blocklisting controls, scheme validation, and internal network address filtering before processing the URLs for server-side requests. This allows attackers to specify arbitrary URLs, including those pointing to internal network resources, localhost, or cloud provider metadata endpoints.
Attack Vector
The attack can be executed remotely over the network through the WebSocket endpoint. An attacker sends a malicious request containing crafted URLs in the source_urls parameter, targeting internal services or sensitive endpoints. The server processes these URLs without adequate validation, executing requests on behalf of the attacker.
The vulnerability can be exploited to:
- Access internal services behind firewalls or NAT
- Query cloud metadata services (e.g., http://169.254.169.254/ on AWS, GCP, Azure)
- Scan internal network ports and services
- Bypass authentication controls for internal APIs
- Exfiltrate data through DNS or HTTP channels
The exploit has been publicly disclosed through GitHub Issue #1696. Technical details and proof-of-concept information can be found in the VulDB submission.
Detection Methods for CVE-2026-5633
Indicators of Compromise
- Unusual outbound HTTP requests from gpt-researcher to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal)
- WebSocket connections with source_urls containing localhost, 127.0.0.1, or internal hostnames
- Server logs showing requests to unexpected internal services or ports
Detection Strategies
- Monitor WebSocket endpoint traffic for suspicious source_urls parameter values containing internal IP addresses or metadata service URLs
- Implement application-layer inspection to detect SSRF patterns in URL parameters
- Deploy web application firewall (WAF) rules to block requests with internal network addresses in URL parameters
- Enable detailed logging for all outbound HTTP requests made by the gpt-researcher application
Monitoring Recommendations
- Configure network monitoring to alert on outbound connections from the gpt-researcher server to internal network ranges
- Implement DNS query logging to detect internal hostname resolution attempts
- Set up alerts for connections to common cloud metadata IP addresses
- Review gpt-researcher application logs regularly for anomalous URL fetch patterns
How to Mitigate CVE-2026-5633
Immediate Actions Required
- Restrict network access for the gpt-researcher application to prevent connections to internal networks and sensitive endpoints
- Implement URL allowlisting to only permit access to trusted external domains
- Deploy egress filtering rules to block outbound connections to internal IP ranges and metadata services
- Consider temporarily disabling the WebSocket endpoint if not critical to operations until a patch is available
Patch Information
As of the last update, the project maintainers have not responded to the vulnerability report submitted through GitHub Issue #1696. Users should monitor the gpt-researcher GitHub repository for security updates and patches. Additional vulnerability details are available through VulDB #355421.
Workarounds
- Implement a reverse proxy or gateway that validates and filters all source_urls before they reach the gpt-researcher application
- Configure firewall rules to block all egress traffic from the application server to internal networks (RFC 1918 addresses) and cloud metadata services
- Use network segmentation to isolate the gpt-researcher instance from sensitive internal resources
- Consider running gpt-researcher in a sandboxed environment with restricted network capabilities
# Example iptables rules to block SSRF to internal networks
# Block access to private IP ranges from the gpt-researcher server
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
