Cyber Resilience

CVE-2026-22664

HighPublic PoCUpdated

Published: 03 April 2026

Published
03 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 12.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22664 is a high-severity SSRF (CWE-918) vulnerability in Fka Prompts.Chat. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22664 is a server-side request forgery (SSRF) vulnerability, mapped to CWE-918, affecting prompts.chat prior to commit 30a8f04. The flaw exists in the Fal.ai media status polling feature, where a lack of URL validation in the token parameter enables authenticated users to trigger arbitrary outbound requests from the server.

Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high confidentiality impact (C:H) in a changed scope (S:C) but no integrity or availability effects. By supplying attacker-controlled URLs, they can force the server to make requests that disclose the FAL_API_KEY in the Authorization header, resulting in credential theft, internal network probing, and abuse of the victim's Fal.ai account. The CVSS v3.1 base score is 7.7.

Mitigation involves updating to commit 30a8f0470e0ba45e6be9c9f55220f4a9a6b91c99 or later in the prompts.chat repository, which addresses the URL validation issue. Detailed analysis is provided in VulnCheck's advisory at https://www.vulncheck.com/advisories/prompts-chat-ssrf-via-fal-ai-media-status-polling and researcher mdisec's GitHub Gist at https://gist.github.com/mdisec/27c0cac0ec6a8f3c8f85a18987ddb942.

EU & UK References

Vulnerability details

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in the Fal.ai media status polling feature that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack…

more

of URL validation to disclose the FAL_API_KEY in the Authorization header, enabling credential theft, internal network probing, and abuse of the victim's Fal.ai account.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing web app directly enables initial access via T1190; forces outbound requests leaking API keys (T1528) and supports internal network probing (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22663Same product: Fka Prompts.Chat
CVE-2026-22665Same product: Fka Prompts.Chat
CVE-2026-22661Same product: Fka Prompts.Chat
CVE-2026-28451Shared CWE-918
CVE-2026-4231Shared CWE-918
CVE-2026-34576Shared CWE-918
CVE-2026-30247Shared CWE-918
CVE-2026-27488Shared CWE-918
CVE-2026-41271Shared CWE-918
CVE-2026-24779Shared CWE-918

Affected Assets

fka
prompts.chat
≤ 2026-03-25

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs such as the token URL parameter, blocking the malformed requests that enable SSRF.

prevent

Enforces information-flow policies that restrict the server from initiating arbitrary outbound requests to attacker-supplied destinations.

prevent

Boundary-protection mechanisms can deny or filter the unauthorized outbound connections used to exfiltrate the FAL_API_KEY.

References