CVE-2026-5803 — MEDIUM (CVSS 6.3) AI Security Vulnerability

CISO Take

CVE-2026-5803 is a Server-Side Request Forgery (CWE-918) in the API proxy endpoint of bigsk1/openai-realtime-ui, a community-built UI for OpenAI's Realtime API, where an authenticated remote attacker can manipulate the query parameter in server.js to force the server to issue arbitrary outbound HTTP requests. The primary CISO concern is credential theft: SSRF in AI API proxies is acutely dangerous because these servers typically hold high-value OpenAI API keys in their environment, and an attacker can pivot to cloud metadata endpoints (e.g., AWS IMDS 169.254.169.254) to harvest those credentials and subsequently abuse them for cost harvesting or data exfiltration. Although CVSS is a moderate 6.3 and this is a niche project, the exploit has already been publicly released and requires only low privileges with no user interaction, putting opportunistic exploitation well within script-kiddie reach. Apply the published patch (commit 54f8f50f), enforce strict egress filtering on any self-hosted OpenAI proxy, and rotate API keys immediately if this component is deployed in your environment.

Sources: NVD ATLAS GitHub Advisory

Risk Assessment

Medium-severity vulnerability with characteristics that elevate practical risk above the CVSS score suggests: no authentication required beyond low-privilege access, zero attack complexity, and a publicly released exploit. The real exposure is the API key theft chain — SSRF to cloud metadata is a well-understood lateral escalation path that can convert a 6.3 medium into a full credential compromise. Limited blast radius due to niche adoption of this specific community project keeps overall fleet risk low, but any team running this UI in production should treat this as high-priority patching.

Severity & Risk

CVSS 3.1

6.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Patch immediately: apply commit 54f8f50f43af97c334a881af7b021e84b5b8310f from the upstream repo.
Rotate OpenAI API keys used by any instance of this service — treat them as compromised if the service was internet-exposed.
Enforce strict egress filtering on the host running this proxy; block access to cloud metadata endpoints (169.254.169.254, 100.64.0.0/10) and internal RFC1918 ranges from the application process.
Require authentication before any access to the proxy endpoint.
Detection: monitor outbound HTTP requests from the proxy process for anomalous destinations, especially metadata service IPs and non-OpenAI domains.

Classification

Data Extraction Auth Bypass API AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

ISO 42001

A.6.1.4 - AI system security measures

NIST AI RMF

MANAGE-2.2 - Risk Treatment for AI Systems

OWASP LLM Top 10

LLM07:2023 - Insecure Plugin Design

Technical Details

NVD Description

A security flaw has been discovered in bigsk1 openai-realtime-ui up to 188ccde27fdf3d8fab8da81f3893468f53b2797c. The affected element is an unknown function of the file server.js of the component API Proxy Endpoint. Performing a manipulation of the argument Query results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is named 54f8f50f43af97c334a881af7b021e84b5b8310f. It is suggested to install a patch to address this issue.

Exploitation Scenario

An attacker with a low-privilege account (or using any exposed unauthenticated path if misconfigured) sends a crafted request to the API proxy endpoint in server.js with the query parameter set to an internal target such as http://169.254.169.254/latest/meta-data/iam/security-credentials/. The proxy faithfully fetches the URL and returns the response, leaking AWS temporary credentials. The attacker then uses those credentials to access other AWS services, extract secrets (including the OpenAI API key stored in SSM or environment variables), and either sell API access or use it to run high-cost inference workloads at the victim's expense.