CVE-2026-3788
Published: 09 March 2026
Summary
CVE-2026-3788 is a medium-severity SSRF (CWE-918) vulnerability in Bytedesk Bytedesk. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-3788 is a server-side request forgery (SSRF) vulnerability affecting Bytedesk versions up to 1.3.9. The issue resides in the getModels function within the file source-code/src/main/java/com/bytedesk/ai/springai/providers/openrouter/SpringAIOpenrouterRestService.java, part of the SpringAIOpenrouterRestController component. It allows manipulation of the apiUrl argument, enabling unauthorized requests from the server.
Attackers with low privileges (PR:L) can exploit this remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), for an overall CVSS v3.1 score of 6.3. The vulnerability is associated with CWE-918 and has been publicly disclosed with an exploit available for use.
Mitigation involves upgrading to Bytedesk version 1.4.5.4, which includes the patch commit 975e39e4dd527596987559f56c5f9f973f64eff7. GitHub references, including the Bytedesk repository, the patch commit, and related issues (#20 and comments), provide further details on the fix.
The vulnerability occurs in an AI-related component integrating with OpenRouter via Spring AI, highlighting potential risks in AI service integrations within open-source customer support platforms like Bytedesk. No real-world exploitation in the wild is reported.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10278
Vulnerability details
A security vulnerability has been detected in Bytedesk up to 1.3.9. This impacts the function getModels of the file source-code/src/main/java/com/bytedesk/ai/springai/providers/openrouter/SpringAIOpenrouterRestService.java of the component SpringAIOpenrouterRestController. Such manipulation of the argument apiUrl leads to server-side request forgery. The attack may be launched…
more
remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.4.5.4 will fix this issue. The name of the patch is 975e39e4dd527596987559f56c5f9f973f64eff7. It is recommended to upgrade the affected component.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app (Bytedesk/SpringAI controller) directly enables exploitation via T1190 for unauthorized server-side requests.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the apiUrl argument in getModels to reject malicious external URLs and block the SSRF vector.
Enforces boundary controls that can restrict the server’s outbound requests initiated by the manipulated apiUrl.
Enforces information-flow policy on the OpenRouter integration path, preventing unauthorized server-initiated requests to attacker-controlled destinations.