GHSA-F47C-3C5W-V7P4

Vulnerability from github – Published: 2026-02-17 18:53 – Updated: 2026-02-19 21:29
VLAI?
Summary
Indico has Server-Side Request Forgery (SSRF) in multiple places
Details

Impact

Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico's functionality, but of course it is never intended to let you access "special" targets such as localhost or cloud metadata endpoints.

Patches

You should to update to Indico 3.3.10 as soon as possible. See the docs for instructions on how to update.

Workarounds

If you do not have IPs that expose sensitive data without authentication (typically because you do not host Indico on AWS), this vulnerability doesn't impact you and you can ignore it (but please upgrade anyway). Also, only event organizers can access endpoints where SSRF could be used to actually see the data returned by such a request. So if you trust your event organizers, the risk is also very limited.

For additional security, both before and after patching, you could also use the common proxy-related environment variables (in particular http_proxy and https_proxy) to force outgoing requests to go through a proxy that limits requests in whatever way you deem useful/necessary. These environment variables would need to be set both on the indico-uwsgi and indico-celery services. Please note that setting up such a proxy is not something we can help you with.

For more information

If you have any questions or comments about this advisory:

Severity ?
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "indico"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T18:53:25Z",
    "nvd_published_at": "2026-02-19T16:27:15Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIndico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indico\u0027s functionality, but of course it is never intended to let you access \"special\" targets such as localhost or cloud metadata endpoints.\n\n### Patches\nYou should to update to [Indico 3.3.10](https://github.com/indico/indico/releases/tag/v3.3.10) as soon as possible.\nSee [the docs](https://docs.getindico.io/en/stable/installation/upgrade/) for instructions on how to update.\n\n### Workarounds\nIf you do not have IPs that expose sensitive data without authentication (typically because you do not host Indico on AWS), this vulnerability doesn\u0027t impact you and you can ignore it (but please upgrade anyway).\nAlso, only event organizers can access endpoints where SSRF could be used to actually see the data returned by such a request. So if you trust your event organizers, the risk is also very limited.\n\nFor additional security, both before and after patching, you could also use the common proxy-related environment variables (in particular `http_proxy` and `https_proxy`) to force outgoing requests to go through a proxy that limits requests in whatever way you deem useful/necessary. These environment variables would need to be set both on the indico-uwsgi and indico-celery services. Please note that setting up such a proxy is not something we can help you with.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open a thread in [our forum](https://talk.getindico.io/)\n- Email us privately at [indico-team@cern.ch](mailto:indico-team@cern.ch)",
  "id": "GHSA-f47c-3c5w-v7p4",
  "modified": "2026-02-19T21:29:46Z",
  "published": "2026-02-17T18:53:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/security/advisories/GHSA-f47c-3c5w-v7p4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25738"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/commit/70d341826116fac5868719a6133f2c26d9345137"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/indico/indico"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indico/indico/releases/tag/v3.3.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Indico has Server-Side Request Forgery (SSRF) in multiple places"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.