CVE-2026-42181
MEDIUMLemmy: SSRF and internal image disclosure in post link metadata via unvalidated og:image
Title source: cnaDescription
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq
X_Refsource_Misc x_refsource_misc
https://github.com/LemmyNet/lemmy/releases/tag/0.19.18
Scores
CVSS v3
6.5
EPSS
0.0021
EPSS Percentile
10.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
crates.io/lemmy_api_common
0 - 0.19.18crates.io
LemmyNet/lemmy
< 0.19.18
Published
May 08, 2026
Tracked Since
May 09, 2026