PYSEC-2026-1396

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/fschat/PYSEC-2026-1396.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1396
Aliases
Published
2026-07-07T14:34:53.518148Z
Modified
2026-07-07T17:46:29.878789053Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
FastChat Server-Side Request Forgery vulnerability
Details

A Server-Side Request Forgery (SSRF) vulnerability was identified in the lm-sys/fastchat web server, specifically in the affected version git 2c68a13. This vulnerability allows an attacker to access internal server resources and data that are otherwise inaccessible, such as AWS metadata credentials.

References

Affected packages

PyPI / fschat

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.2.36

Affected versions

0.*
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.2.16
0.2.17
0.2.18
0.2.20
0.2.21
0.2.23
0.2.24
0.2.26
0.2.27
0.2.28
0.2.29
0.2.30
0.2.31
0.2.32
0.2.33
0.2.34
0.2.35
0.2.36

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/fschat/PYSEC-2026-1396.yaml"