Lemmy has SSRF in /api/v3/post via Webmention dispatch — CVE-2026-42180
GitHub · GitHub · CVE-2026-42180
ID
CVE-2026-42180
CVE-2026-42180
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
6.3
6.3
EPSS
0.00034
0.00034
Summary
### Summary Lemmy allows an authenticated low-privileged user to create a link post through `POST /api/v3/post`. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is…
Product
rust: lemmy_api_common
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.