CVE-2026-25738

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25738
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25738.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25738
Aliases
Published
2026-02-19T15:30:54.824Z
Modified
2026-02-27T00:36:43.061054Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Indico has Server-Side Request Forgery (SSRF) in multiple places
Details

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality but is never intended to let users access "special" targets such as localhost or cloud metadata endpoints. Users should upgrade to version 3.3.10 to receive a patch. Those who do not have IPs that expose sensitive data without authentication (typically because they do not host Indico on AWS) are not affected. Only event organizers can access endpoints where SSRF could be used to actually see the data returned by such a request. For those who trust their event organizers, the risk is also very limited. For additional security, both before and after patching, one may also use the common proxy-related environment variables (in particular http_proxy and https_proxy) to force outgoing requests to go through a proxy that limits requests in whatever way you deem useful/necessary. These environment variables would need to be set both on the indico-uwsgi and indico-celery services.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-367",
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25738.json"
}
References

Affected packages

Git / github.com/indico/indico

Affected ranges

Type
GIT
Repo
https://github.com/indico/indico
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f52d44bedcec27be6ba29d7940ffefe66d68d7ee

Affected versions

v0.*
v0.97-rc1
v0.97-rc2
v0.97.0
v0.97b
v0.97b2
v0.98-rc1
v0.98.1
v0.98.2
v0.98.3
v0.99.0
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.1.2
v1.1.2-latest
v1.2.0
v1.9.1
v1.9.11.dev10
v1.9.11.dev11
v1.9.11.dev12
v1.9.11.dev13
v1.9.11.dev14
v1.9.11.dev15
v1.9.11.dev16
v1.9.11.dev17
v1.9.11.dev18
v1.9.11.dev3
v1.9.11.dev6
v1.9.11.dev7
v1.9.11.dev8
v1.9.11.dev9
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.9
v2.*
v2.0
v2.0.1
v2.0.2
v2.0.3
v2.0a1
v2.0rc1
v2.0rc2
v2.1
v2.1.1
v2.1.10
v2.1.11
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.7+docs
v2.1.8
v2.1.9
v2.1a1
v2.1a2
v2.1a3
v2.1b1
v2.1rc1
v2.1rc2
v2.1rc3
v2.1rc4
v2.1rc5
v2.1rc6
v2.2
v2.2+docs
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.8+archived
v2.3
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.5+archived
v3.*
v3.0
v3.0.1
v3.0.2
v3.0.3
v3.0.3+archived
v3.0rc1
v3.0rc2
v3.1
v3.1.1
v3.1.1+archived
v3.2
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.6+docs
v3.2.7
v3.2.8
v3.2.9
v3.3
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25738.json"