A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
| Link | Resource |
|---|---|
| https://gist.github.com/YLChen-007/07d149bd68adbee58165b4207a2abc71 | Not Applicable |
| https://gist.github.com/YLChen-007/cf7e47e4dda392f474ca77a66d1d847f | Exploit Third Party Advisory |
| https://vuldb.com/submit/811404 | Third Party Advisory VDB Entry |
| https://vuldb.com/submit/811405 | Third Party Advisory VDB Entry |
| https://vuldb.com/vuln/364393 | Third Party Advisory VDB Entry |
| https://vuldb.com/vuln/364393/cti | Permissions Required VDB Entry |
Configurations
History
19 May 2026, 15:24
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://gist.github.com/YLChen-007/07d149bd68adbee58165b4207a2abc71 - Not Applicable | |
| References | () https://gist.github.com/YLChen-007/cf7e47e4dda392f474ca77a66d1d847f - Exploit, Third Party Advisory | |
| References | () https://vuldb.com/submit/811404 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/submit/811405 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/vuln/364393 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/vuln/364393/cti - Permissions Required, VDB Entry | |
| First Time |
Vercel ai
Vercel |
|
| CPE | cpe:2.3:a:vercel:ai:*:*:*:*:*:*:*:* |
17 May 2026, 23:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-17 23:17
Updated : 2026-05-19 15:24
NVD link : CVE-2026-8768
Mitre link : CVE-2026-8768
CVE.ORG link : CVE-2026-8768
JSON object : View
Products Affected
vercel
- ai
CWE
CWE-918
Server-Side Request Forgery (SSRF)