Vercel AI SSRF (CVE-2026-8768) Poses Remote Threat

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-918
Vercel AI SSRF (CVE-2026-8768) Poses Remote Threat

A critical server-side request forgery (SSRF) vulnerability, identified as CVE-2026-8768, has been disclosed in Vercel AI, affecting versions up to 3.0.97. The flaw resides within the validateDownloadUrl function of the provider-utils component, specifically in the packages/provider-utils/src/download-blob.ts file. This vulnerability allows for remote exploitation, enabling attackers to force the server to make arbitrary requests.

The National Vulnerability Database reports a CVSS score of 7.3 (HIGH) for CVE-2026-8768. The attack vector is network-based, requires no privileges or user interaction, and impacts confidentiality, integrity, and availability. The exploit code for this vulnerability is publicly available, significantly increasing the immediate risk to unpatched systems. Vercel was reportedly notified prior to public disclosure but did not issue a response.

This SSRF vulnerability is a serious concern for any organization leveraging Vercel AI. Attackers can exploit this to access internal systems, enumerate network configurations, or even trigger actions on other services. The public availability of exploit code means defenders have a narrow window to mitigate before widespread attacks begin. Organizations must prioritize patching or implementing compensating controls immediately.

What This Means For You

  • If your organization utilizes Vercel AI up to version 3.0.97, you are directly exposed to a high-severity remote SSRF. Immediately identify all instances of Vercel AI within your infrastructure, assess their exposure, and prioritize patching or isolating these systems. Audit logs for any unusual outbound connections from Vercel AI components.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1571 Non-Standard Port Command and Control T1071.001 Web Protocols Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Vercel AI SSRF via download-blob.ts - CVE-2026-8768

Sigma YAML — free preview 
title: Vercel AI SSRF via download-blob.ts - CVE-2026-8768
id: scw-2026-05-17-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit the CVE-2026-8768 vulnerability in Vercel AI. This rule specifically looks for HTTP POST requests targeting the '/download-blob.ts' endpoint with a 'url=' parameter in the query string, which is indicative of an SSRF attack attempting to abuse the validateDownloadUrl function.
author: SCW Feed Engine (AI-generated)
date: 2026-05-17
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-8768/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/download-blob.ts'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'url='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-8768 SSRF vercel ai up to 3.0.97
CVE-2026-8768 SSRF Function: validateDownloadUrl in packages/provider-utils/src/download-blob.ts
CVE-2026-8768 SSRF Component: provider-utils

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 18, 2026 at 02:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma