CVE-2026-22664

HighPublic PoC

Published: 03 April 2026

Published

03 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0003 10.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22664 is a high-severity SSRF (CWE-918) vulnerability in Fka Prompts.Chat. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of attacker-controlled URLs in the token parameter to prevent SSRF enabling arbitrary outbound requests.

AC-4 Information Flow Enforcement good match

prevent

Enforces information flow control policies restricting server outbound connections to approved URLs/domains, blocking SSRF exploitation.

SC-7 Boundary Protection partial match

preventdetect

Monitors and controls communications at boundaries to block or detect unauthorized outbound requests that could probe networks or leak API keys.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1528 Steal Application Access Token Credential Access

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

SSRF in public-facing web app directly enables initial access via T1190; forces outbound requests leaking API keys (T1528) and supports internal network probing (T1046).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in Fal.ai media status polling that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack of URL…

validation to disclose the FAL_API_KEY in the Authorization header, enabling credential theft, internal network probing, and abuse of the victim's Fal.ai account.

Deeper analysisAI

CVE-2026-22664 is a server-side request forgery (SSRF) vulnerability, mapped to CWE-918, affecting prompts.chat prior to commit 30a8f04. The flaw exists in the Fal.ai media status polling feature, where a lack of URL validation in the token parameter enables authenticated users to trigger arbitrary outbound requests from the server.

Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high confidentiality impact (C:H) in a changed scope (S:C) but no integrity or availability effects. By supplying attacker-controlled URLs, they can force the server to make requests that disclose the FAL_API_KEY in the Authorization header, resulting in credential theft, internal network probing, and abuse of the victim's Fal.ai account. The CVSS v3.1 base score is 7.7.

Mitigation involves updating to commit 30a8f0470e0ba45e6be9c9f55220f4a9a6b91c99 or later in the prompts.chat repository, which addresses the URL validation issue. Detailed analysis is provided in VulnCheck's advisory at https://www.vulncheck.com/advisories/prompts-chat-ssrf-via-fal-ai-media-status-polling and researcher mdisec's GitHub Gist at https://gist.github.com/mdisec/27c0cac0ec6a8f3c8f85a18987ddb942.