Platform
rust
Component
lemmy_routes
Fixed in
0.19.17
0.19.16
CVE-2026-29178 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the lemmy_routes component of Lemmy. This vulnerability allows an unauthenticated attacker to inject arbitrary query parameters into internal requests made by the pict-rs library, potentially enabling them to fetch sensitive data from internal resources or external URLs. The vulnerability impacts Lemmy versions before 0.19.16, and a patch has been released to address the issue.
The SSRF vulnerability in Lemmy allows attackers to bypass security controls and make requests to internal or external resources as if they were originating from the Lemmy server. By injecting the proxy parameter into the file_type query parameter of the /api/v4/image/{filename} endpoint, an attacker can force Lemmy to fetch arbitrary URLs. This could lead to the exposure of sensitive internal data, such as configuration files or database credentials, or even allow an attacker to interact with other internal services. The blast radius extends to any internal resources accessible from the Lemmy server, potentially compromising the entire infrastructure.
This vulnerability was publicly disclosed on 2026-03-04. Currently, there are no known active campaigns exploiting this specific CVE. No public proof-of-concept (POC) code has been released, but the SSRF nature of the vulnerability makes it relatively easy to exploit. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
The primary mitigation for CVE-2026-29178 is to upgrade Lemmy to version 0.19.16 or later, which includes a fix for the vulnerability. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file_type parameters with the proxy parameter. Additionally, review and restrict network access for the Lemmy server to minimize the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to access an external URL via the vulnerable endpoint and verifying that the request is blocked or handled securely.
Update Lemmy to version 0.19.16 or higher. This version fixes the SSRF vulnerability in the image endpoint by correctly validating query parameters. The update prevents attackers from injecting arbitrary parameters into internal requests to pict-rs.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29178 is a Server-Side Request Forgery vulnerability in the Lemmy lemmy_routes component, allowing attackers to make requests to internal or external resources as the Lemmy server.
You are affected if you are running Lemmy versions prior to 0.19.16. Upgrade to the latest version to mitigate the risk.
Upgrade Lemmy to version 0.19.16 or later. As a temporary workaround, implement a WAF rule to block suspicious file_type parameters.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it potentially exploitable.
Refer to the Lemmy project's official security advisories and release notes for details: [https://github.com/LemmyNet/lemmy/releases](https://github.com/LemmyNet/lemmy/releases)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.