{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25883", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-06T21:08:39.129Z", "datePublished": "2026-04-20T16:04:36.584Z", "dateUpdated": "2026-04-20T16:36:21.221Z"}, "containers": {"cna": {"title": "Vexa Webhook Feature has a SSRF Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-fhr6-8hff-cvg4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-fhr6-8hff-cvg4"}], "affected": [{"vendor": "Vexa-ai", "product": "vexa", "versions": [{"version": "< 0.10.0-260419-1910", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T16:04:36.584Z"}, "descriptions": [{"lang": "en", "value": "Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on the webhook URL, enabling Server-Side Request Forgery (SSRF). An authenticated attacker can set their webhook URL to target internal services (Redis, databases, admin panels), cloud metadata endpoints (AWS/GCP credential theft), and/or localhost services. Version 0.10.0-260419-1910 patches the issue."}], "source": {"advisory": "GHSA-fhr6-8hff-cvg4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:36:00.485727Z", "id": "CVE-2026-25883", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:36:21.221Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25883", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:36:00.485727Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:36:12.302Z"}}], "cna": {"title": "Vexa Webhook Feature has a SSRF Vulnerability", "source": {"advisory": "GHSA-fhr6-8hff-cvg4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Vexa-ai", "product": "vexa", "versions": [{"status": "affected", "version": "< 0.10.0-260419-1910"}]}], "references": [{"url": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-fhr6-8hff-cvg4", "name": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-fhr6-8hff-cvg4", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on the webhook URL, enabling Server-Side Request Forgery (SSRF). An authenticated attacker can set their webhook URL to target internal services (Redis, databases, admin panels), cloud metadata endpoints (AWS/GCP credential theft), and/or localhost services. Version 0.10.0-260419-1910 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T16:04:36.584Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25883", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:36:21.221Z", "dateReserved": "2026-02-06T21:08:39.129Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T16:04:36.584Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on the webhook URL, enabling Server-Side Request Forgery (SSRF). An authenticated attacker can set their webhook URL to target internal services (Redis, databases, admin panels), cloud metadata endpoints (AWS/GCP credential theft), and/or localhost services. Version 0.10.0-260419-1910 patches the issue."}], "id": "CVE-2026-25883", "lastModified": "2026-04-20T19:03:07.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T16:16:41.907", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Vexa-ai/vexa/security/advisories/GHSA-fhr6-8hff-cvg4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T17:19:44.555041+00:00", "value": {"mitigation_remediation": ["Upgrade the Vexa installation to version 0.10.0\u2011260419\u20111910 or later, where the SSRF issue is fixed.", "If an upgrade cannot be performed immediately, disable the webhook feature or restrict webhook URLs to an approved whitelist of external domains.", "Implement network segmentation or firewall rules that prevent outbound connections from the Vexa service to internal IP ranges, and monitor for outbound HTTP traffic to internal addresses."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery that permits an authenticated user to make the server reach internal services, potentially exposing secrets."}, "threat_synthesis": {"affected_systems": "Any instance of the Vexa HTTP API running versions earlier than 0.10.0\u2011260419\u20111910 is vulnerable. The affected product is Vexa\u2011AI Vexa, a self\u2011hosted meeting bot and transcription API. Authenticated users controlling the webhook configuration are the attack surface.", "description_and_impact": "The Vexa webhook feature accepts an arbitrary URL to post meeting\u2011completion data. Because no validation is performed, an attacker who is authenticated can configure that URL to point to internal services, cloud metadata endpoints, or localhost resources. By forcing the application to contact those targets, the attacker can gather internal network information, extract credentials from cloud metadata services, or interact with database or admin interfaces. This SSRF flaw allows the attacker to potentially read or manipulate data inside the environment, affecting confidentiality and integrity of the internal infrastructure. The flaw is represented by CWE\u2011918.", "risk_and_exploitability": "The CVSS score of 5.8 indicates a moderate severity. The EPSS score is not available, so exploitation probability is unknown. It is not listed in the CISA KEV catalog. Because the flaw requires only an authenticated user and affecting an internal request, an attacker with sufficient access can exploit it without needing complex setups. The most straightforward attack vector is an authenticated user setting a webhook URL that points to an internal service or cloud metadata endpoint."}}}}, "created": "2026-04-20T17:30:12.650052+00:00", "updated": "2026-04-20T17:30:12.650062+00:00", "vendors": []}