Cyber Resilience

CVE-2026-3788

MediumPublic PoC

Published: 09 March 2026

Published
09 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3788 is a medium-severity SSRF (CWE-918) vulnerability in Bytedesk Bytedesk. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-3788 is a server-side request forgery (SSRF) vulnerability affecting Bytedesk versions up to 1.3.9. The issue resides in the getModels function within the file source-code/src/main/java/com/bytedesk/ai/springai/providers/openrouter/SpringAIOpenrouterRestService.java, part of the SpringAIOpenrouterRestController component. It allows manipulation of the apiUrl argument, enabling unauthorized requests from the server.

Attackers with low privileges (PR:L) can exploit this remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), for an overall CVSS v3.1 score of 6.3. The vulnerability is associated with CWE-918 and has been publicly disclosed with an exploit available for use.

Mitigation involves upgrading to Bytedesk version 1.4.5.4, which includes the patch commit 975e39e4dd527596987559f56c5f9f973f64eff7. GitHub references, including the Bytedesk repository, the patch commit, and related issues (#20 and comments), provide further details on the fix.

The vulnerability occurs in an AI-related component integrating with OpenRouter via Spring AI, highlighting potential risks in AI service integrations within open-source customer support platforms like Bytedesk. No real-world exploitation in the wild is reported.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security vulnerability has been detected in Bytedesk up to 1.3.9. This impacts the function getModels of the file source-code/src/main/java/com/bytedesk/ai/springai/providers/openrouter/SpringAIOpenrouterRestService.java of the component SpringAIOpenrouterRestController. Such manipulation of the argument apiUrl leads to server-side request forgery. The attack may be launched…

more

remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.4.5.4 will fix this issue. The name of the patch is 975e39e4dd527596987559f56c5f9f973f64eff7. It is recommended to upgrade the affected component.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing web app (Bytedesk/SpringAI controller) directly enables exploitation via T1190 for unauthorized server-side requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3789Same product: Bytedesk Bytedesk
CVE-2026-3749Same product: Bytedesk Bytedesk
CVE-2026-3748Same product: Bytedesk Bytedesk
CVE-2026-27795Shared CWE-918
CVE-2026-8768Shared CWE-918
CVE-2024-13195Shared CWE-918
CVE-2026-5052Shared CWE-918
CVE-2025-58045Shared CWE-918
CVE-2025-69299Shared CWE-918
CVE-2026-42398Shared CWE-918

Affected Assets

bytedesk
bytedesk
≤ 1.4.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the apiUrl argument in getModels to reject malicious external URLs and block the SSRF vector.

prevent

Enforces boundary controls that can restrict the server’s outbound requests initiated by the manipulated apiUrl.

prevent

Enforces information-flow policy on the OpenRouter integration path, preventing unauthorized server-initiated requests to attacker-controlled destinations.

References