Cyber Resilience

CVE-2026-7223

Medium

Published: 28 April 2026

Published
28 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 18.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7223 is a medium-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-7223 is a server-side request forgery (SSRF) vulnerability, classified as CWE-918, affecting BigSweetPotatoStudio HyperChat versions up to 2.0.0-alpha.63. The flaw exists in the fetch function of the file packages/core/src/http/aiProxyMiddleware.mts within the AI Proxy Middleware component, where manipulation of the baseurl argument enables the issue. Published on 2026-04-28, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low complexity.

The vulnerability can be exploited remotely by unauthenticated attackers with no user interaction required. By supplying a malicious baseurl argument, attackers can trick the server into initiating arbitrary requests, potentially compromising low levels of confidentiality, integrity, and availability as scored by CVSS.

Advisories note that the project was informed early via GitHub issue #142 (https://github.com/BigSweetPotatoStudio/HyperChat/issues/142) but has not responded. No patches or mitigations are available yet; practitioners should review the repository (https://github.com/BigSweetPotatoStudio/HyperChat/) and VulDB entries (https://vuldb.com/vuln/359823) for updates.

The exploit is publicly available and might be used. The involvement of the AI Proxy Middleware component suggests relevance to AI-integrated chat applications.

EU & UK References

Vulnerability details

A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The…

more

attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF vulnerability in public-facing AI Proxy Middleware component allows remote unauthenticated exploitation of the server application via malicious baseurl manipulation to initiate arbitrary requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3789Shared CWE-918
CVE-2026-28677Shared CWE-918
CVE-2026-45400Shared CWE-918
CVE-2026-45331Shared CWE-918
CVE-2026-3788Shared CWE-918
CVE-2026-45548Shared CWE-918
CVE-2026-39418Shared CWE-918
CVE-2026-40168Shared CWE-918
CVE-2026-8768Shared CWE-918
CVE-2026-45338Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the baseurl argument in the AI Proxy Middleware fetch function to prevent SSRF by rejecting malicious URLs.

prevent

Enforces information flow control policies to restrict the proxy middleware from initiating requests to unauthorized internal or external destinations.

preventdetect

Monitors and controls outbound communications at system boundaries to block or detect SSRF attempts from the vulnerable fetch function.

References