CVE-2026-63086: TGI: SSRF via image_url exposes cloud metadata creds
HIGHText Generation Inference (TGI), Hugging Face's production LLM inference server, contains an unauthenticated server-side request forgery vulnerability in its OpenAI-compatible multimodal chat endpoint: an attacker can submit a chat completion request with a crafted image_url and force the server to issue arbitrary HTTP GET requests, because the fetch_image validation logic never checks for private, loopback, link-local, or cloud-metadata destinations, and the underlying HTTP client follows redirects by default. With a CVSS of 8.6, no authentication or user interaction required, and low attack complexity, this is trivially reachable by anyone who can send a chat completions request to a TGI deployment, including through applications that merely proxy user-controlled image URLs into the model. There is no evidence yet of active exploitation (not in CISA KEV, no EPSS score, no public exploit or Nuclei template), but the impact is severe where it matters most: cloud-hosted TGI instances are exposed to IAM credential theft via instance metadata endpoints (e.g. 169.254.169.254) and internal network reconnaissance. Any organization running self-hosted multimodal LLM inference with TGI should patch immediately, restrict the inference server's outbound network access with egress controls or network policies blocking RFC1918/link-local ranges, and enforce IMDSv2 with a hop limit of 1 on any cloud instances running TGI.
What is the risk?
Exploitability is high: the vulnerability requires no authentication, no user interaction, and low attack complexity (AV:N/AC:L/PR:N/UI:N), and the flaw is in a core, network-facing feature (the OpenAI-compatible multimodal chat endpoint) rather than an obscure code path. The CVSS 8.6 score with scope change (S:C) and high confidentiality impact reflects that a successful SSRF can escalate beyond the TGI process itself into the surrounding cloud/network environment. Real-world exploitation signals are currently absent (no CISA KEV listing, no EPSS score, no public PoC or Nuclei template), so this should be treated as an urgent-but-not-yet-weaponized risk. Exposure is highest for organizations running TGI in cloud environments with instance metadata services enabled and for any deployment where the multimodal endpoint is reachable from outside a tightly controlled network.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TGI | pip | — | No patch |
Do you use TGI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
Upgrade text-generation-inference beyond version 3.3.7 as soon as a patched release is available (check the TGI repository/GitHub Advisory for the fix version). Until patched: disable or gate the multimodal chat completions endpoint if image_url input isn't required; place TGI behind an egress-filtering proxy or firewall rule that blocks outbound requests to RFC1918 ranges, loopback, and link-local addresses (169.254.0.0/16 and IPv6 equivalents); enforce IMDSv2 with a hop limit of 1 on cloud instances/containers running TGI so that even a successful SSRF cannot retrieve metadata credentials; apply Kubernetes NetworkPolicies or security groups restricting TGI's outbound connectivity to only required endpoints. For detection, monitor TGI server logs and egress network flows for GET requests to internal IP ranges or metadata service addresses, which is a strong indicator of exploitation attempts.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-63086?
Text Generation Inference (TGI), Hugging Face's production LLM inference server, contains an unauthenticated server-side request forgery vulnerability in its OpenAI-compatible multimodal chat endpoint: an attacker can submit a chat completion request with a crafted image_url and force the server to issue arbitrary HTTP GET requests, because the fetch_image validation logic never checks for private, loopback, link-local, or cloud-metadata destinations, and the underlying HTTP client follows redirects by default. With a CVSS of 8.6, no authentication or user interaction required, and low attack complexity, this is trivially reachable by anyone who can send a chat completions request to a TGI deployment, including through applications that merely proxy user-controlled image URLs into the model. There is no evidence yet of active exploitation (not in CISA KEV, no EPSS score, no public exploit or Nuclei template), but the impact is severe where it matters most: cloud-hosted TGI instances are exposed to IAM credential theft via instance metadata endpoints (e.g. 169.254.169.254) and internal network reconnaissance. Any organization running self-hosted multimodal LLM inference with TGI should patch immediately, restrict the inference server's outbound network access with egress controls or network policies blocking RFC1918/link-local ranges, and enforce IMDSv2 with a hop limit of 1 on any cloud instances running TGI.
Is CVE-2026-63086 actively exploited?
No confirmed active exploitation of CVE-2026-63086 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-63086?
Upgrade text-generation-inference beyond version 3.3.7 as soon as a patched release is available (check the TGI repository/GitHub Advisory for the fix version). Until patched: disable or gate the multimodal chat completions endpoint if image_url input isn't required; place TGI behind an egress-filtering proxy or firewall rule that blocks outbound requests to RFC1918 ranges, loopback, and link-local addresses (169.254.0.0/16 and IPv6 equivalents); enforce IMDSv2 with a hop limit of 1 on cloud instances/containers running TGI so that even a successful SSRF cannot retrieve metadata credentials; apply Kubernetes NetworkPolicies or security groups restricting TGI's outbound connectivity to only required endpoints. For detection, monitor TGI server logs and egress network flows for GET requests to internal IP ranges or metadata service addresses, which is a strong indicator of exploitation attempts.
What systems are affected by CVE-2026-63086?
This vulnerability affects the following AI/ML architecture patterns: model serving, agent frameworks, RAG pipelines.
What is the CVSS score for CVE-2026-63086?
CVE-2026-63086 has a CVSS v3.1 base score of 8.6 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0040 AI Model Inference API Access AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials AML.T0075 Cloud Service Discovery Compliance Controls Affected
What are the technical details?
Original Advisory
text-generation-inference through 3.3.7 contains a server-side request forgery (SSRF) vulnerability in the OpenAI-compatible multimodal chat completions endpoint that allows unauthenticated network attackers to coerce the server into issuing arbitrary HTTP GET requests by supplying a crafted image_url value in chat message content. The fetch_image function in router/src/validation.rs performs no validation of private, loopback, link-local, or cloud metadata target addresses, and the reqwest HTTP client follows redirects by default, enabling attackers to bypass scheme checks via redirect chains to reach internal services and cloud instance-metadata endpoints for internal port scanning and credential theft.
Exploitation Scenario
An unauthenticated external attacker sends a request to the organization's TGI-hosted OpenAI-compatible chat completions endpoint with message content containing an image_url set to a cloud metadata address such as http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>. Because fetch_image() in router/src/validation.rs performs no SSRF filtering and the reqwest client follows redirects by default, TGI's server-side process issues the GET request on the attacker's behalf, and the fetched content (potentially including temporary IAM credentials) flows back into the response the attacker receives. The attacker then uses those stolen credentials to pivot into other cloud resources, or reuses the same SSRF primitive to port-scan the internal network and reach admin panels or services normally inaccessible from outside the TGI host.
Weaknesses (CWE)
CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-0599 7.5 text-generation: DoS causes service disruption
Same package: text-generation-inference CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Data Extraction CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Data Extraction CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Data Extraction CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Data Extraction