CVE-2026-22664
Published: 03 April 2026
Summary
CVE-2026-22664 is a high-severity SSRF (CWE-918) vulnerability in Fka Prompts.Chat. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22664 is a server-side request forgery (SSRF) vulnerability, mapped to CWE-918, affecting prompts.chat prior to commit 30a8f04. The flaw exists in the Fal.ai media status polling feature, where a lack of URL validation in the token parameter enables authenticated users to trigger arbitrary outbound requests from the server.
Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high confidentiality impact (C:H) in a changed scope (S:C) but no integrity or availability effects. By supplying attacker-controlled URLs, they can force the server to make requests that disclose the FAL_API_KEY in the Authorization header, resulting in credential theft, internal network probing, and abuse of the victim's Fal.ai account. The CVSS v3.1 base score is 7.7.
Mitigation involves updating to commit 30a8f0470e0ba45e6be9c9f55220f4a9a6b91c99 or later in the prompts.chat repository, which addresses the URL validation issue. Detailed analysis is provided in VulnCheck's advisory at https://www.vulncheck.com/advisories/prompts-chat-ssrf-via-fal-ai-media-status-polling and researcher mdisec's GitHub Gist at https://gist.github.com/mdisec/27c0cac0ec6a8f3c8f85a18987ddb942.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18827
Vulnerability details
prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in the Fal.ai media status polling feature that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack…
more
of URL validation to disclose the FAL_API_KEY in the Authorization header, enabling credential theft, internal network probing, and abuse of the victim's Fal.ai account.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app directly enables initial access via T1190; forces outbound requests leaking API keys (T1528) and supports internal network probing (T1046).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs such as the token URL parameter, blocking the malformed requests that enable SSRF.
Enforces information-flow policies that restrict the server from initiating arbitrary outbound requests to attacker-supplied destinations.
Boundary-protection mechanisms can deny or filter the unauthorized outbound connections used to exfiltrate the FAL_API_KEY.