Cyber Resilience

CVE-2026-3789

MediumPublic PoC

Published: 09 March 2026

Published
09 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-3789 is a medium-severity SSRF (CWE-918) vulnerability in Bytedesk Bytedesk. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3789 is a server-side request forgery (SSRF) vulnerability, classified as CWE-918, affecting Bytedesk versions up to 1.3.9. The flaw exists in the getModels function of the file source-code/src/main/java/com/bytedesk/ai/springai/providers/gitee/SpringAIGiteeRestService.java within the SpringAIGiteeRestController component. Published on 2026-03-09, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation through manipulation of the apiUrl argument. Low-privileged remote attackers (PR:L) can trigger SSRF without user interaction, potentially achieving low-level impacts on confidentiality, integrity, and availability.

Advisories recommend upgrading to Bytedesk version 1.4.5.4, which resolves the issue via patch commit 975e39e4dd527596987559f56c5f9f973f64eff7. Upgrading the affected component is advised, as the exploit is now public and may be used.

The vulnerable component relates to Bytedesk's AI integration using SpringAI and the Gitee provider, with details available in the project's GitHub repository, including issues #21 and the referenced commit.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in Bytedesk up to 1.3.9. Affected is the function getModels of the file source-code/src/main/java/com/bytedesk/ai/springai/providers/gitee/SpringAIGiteeRestService.java of the component SpringAIGiteeRestController. Performing a manipulation of the argument apiUrl results in server-side request forgery. Remote exploitation of the attack is…

more

possible. The exploit is now public and may be used. Upgrading to version 1.4.5.4 is able to address this issue. The patch is named 975e39e4dd527596987559f56c5f9f973f64eff7. Upgrading the affected component is advised.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF vulnerability in public-facing Bytedesk web application (SpringAIGiteeRestController) directly enables exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3788Same product: Bytedesk Bytedesk
CVE-2026-3749Same product: Bytedesk Bytedesk
CVE-2026-3748Same product: Bytedesk Bytedesk
CVE-2026-45401Shared CWE-918
CVE-2025-69222Shared CWE-918
CVE-2024-11030Shared CWE-918
CVE-2026-40168Shared CWE-918
CVE-2024-12779Shared CWE-918
CVE-2026-45400Shared CWE-918
CVE-2026-45548Shared CWE-918

Affected Assets

bytedesk
bytedesk
≤ 1.4.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SSRF exploitation by validating the apiUrl argument in the getModels function of SpringAIGiteeRestService to restrict it to trusted endpoints.

prevent

Requires timely flaw remediation through upgrading Bytedesk to version 1.4.5.4, which patches the SSRF vulnerability via commit 975e39e4dd527596987559f56c5f9f973f64eff7.

preventdetect

Mitigates SSRF by monitoring and controlling communications at system boundaries to block or detect unauthorized outbound requests triggered by the apiUrl manipulation.

References