CVE-2026-63086: TGI: SSRF via image_url exposes cloud metadata creds

HIGH
Published July 16, 2026
CISO Take

Text Generation Inference (TGI), Hugging Face's production LLM inference server, contains an unauthenticated server-side request forgery vulnerability in its OpenAI-compatible multimodal chat endpoint: an attacker can submit a chat completion request with a crafted image_url and force the server to issue arbitrary HTTP GET requests, because the fetch_image validation logic never checks for private, loopback, link-local, or cloud-metadata destinations, and the underlying HTTP client follows redirects by default. With a CVSS of 8.6, no authentication or user interaction required, and low attack complexity, this is trivially reachable by anyone who can send a chat completions request to a TGI deployment, including through applications that merely proxy user-controlled image URLs into the model. There is no evidence yet of active exploitation (not in CISA KEV, no EPSS score, no public exploit or Nuclei template), but the impact is severe where it matters most: cloud-hosted TGI instances are exposed to IAM credential theft via instance metadata endpoints (e.g. 169.254.169.254) and internal network reconnaissance. Any organization running self-hosted multimodal LLM inference with TGI should patch immediately, restrict the inference server's outbound network access with egress controls or network policies blocking RFC1918/link-local ranges, and enforce IMDSv2 with a hop limit of 1 on any cloud instances running TGI.

Sources: NVD VulnCheck ATLAS

What is the risk?

Exploitability is high: the vulnerability requires no authentication, no user interaction, and low attack complexity (AV:N/AC:L/PR:N/UI:N), and the flaw is in a core, network-facing feature (the OpenAI-compatible multimodal chat endpoint) rather than an obscure code path. The CVSS 8.6 score with scope change (S:C) and high confidentiality impact reflects that a successful SSRF can escalate beyond the TGI process itself into the surrounding cloud/network environment. Real-world exploitation signals are currently absent (no CISA KEV listing, no EPSS score, no public PoC or Nuclei template), so this should be treated as an urgent-but-not-yet-weaponized risk. Exposure is highest for organizations running TGI in cloud environments with instance metadata services enabled and for any deployment where the multimodal endpoint is reachable from outside a tightly controlled network.

How does the attack unfold?

Entry point
Unauthenticated attacker submits a chat completions request to TGI's OpenAI-compatible multimodal endpoint with a crafted image_url targeting an internal or cloud-metadata address.
AML.T0049
SSRF trigger
fetch_image() performs no validation of the target address and reqwest follows redirects by default, so TGI's server issues the arbitrary GET request on the attacker's behalf.
AML.T0040
Internal reconnaissance
The attacker repeats the technique to port-scan internal services and enumerate the cloud instance-metadata service reachable only from the TGI host.
AML.T0075
Credential theft / impact
Responses fetched via SSRF (e.g. temporary IAM credentials from the metadata endpoint) are returned to the attacker, enabling further compromise of the cloud environment.
AML.T0055

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TGI pip No patch
10.9K Pushed 3mo ago 50% patched ~1d to patch Full package profile →

Do you use TGI? You're affected.

How severe is it?

CVSS 3.1
8.6 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I None
A None

What should I do?

1 step
  1. Upgrade text-generation-inference beyond version 3.3.7 as soon as a patched release is available (check the TGI repository/GitHub Advisory for the fix version). Until patched: disable or gate the multimodal chat completions endpoint if image_url input isn't required; place TGI behind an egress-filtering proxy or firewall rule that blocks outbound requests to RFC1918 ranges, loopback, and link-local addresses (169.254.0.0/16 and IPv6 equivalents); enforce IMDSv2 with a hop limit of 1 on cloud instances/containers running TGI so that even a successful SSRF cannot retrieve metadata credentials; apply Kubernetes NetworkPolicies or security groups restricting TGI's outbound connectivity to only required endpoints. For detection, monitor TGI server logs and egress network flows for GET requests to internal IP ranges or metadata service addresses, which is a strong indicator of exploitation attempts.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
Annex A.6.2 - AI system security
NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM05 - Improper Output Handling

Frequently Asked Questions

What is CVE-2026-63086?

Text Generation Inference (TGI), Hugging Face's production LLM inference server, contains an unauthenticated server-side request forgery vulnerability in its OpenAI-compatible multimodal chat endpoint: an attacker can submit a chat completion request with a crafted image_url and force the server to issue arbitrary HTTP GET requests, because the fetch_image validation logic never checks for private, loopback, link-local, or cloud-metadata destinations, and the underlying HTTP client follows redirects by default. With a CVSS of 8.6, no authentication or user interaction required, and low attack complexity, this is trivially reachable by anyone who can send a chat completions request to a TGI deployment, including through applications that merely proxy user-controlled image URLs into the model. There is no evidence yet of active exploitation (not in CISA KEV, no EPSS score, no public exploit or Nuclei template), but the impact is severe where it matters most: cloud-hosted TGI instances are exposed to IAM credential theft via instance metadata endpoints (e.g. 169.254.169.254) and internal network reconnaissance. Any organization running self-hosted multimodal LLM inference with TGI should patch immediately, restrict the inference server's outbound network access with egress controls or network policies blocking RFC1918/link-local ranges, and enforce IMDSv2 with a hop limit of 1 on any cloud instances running TGI.

Is CVE-2026-63086 actively exploited?

No confirmed active exploitation of CVE-2026-63086 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-63086?

Upgrade text-generation-inference beyond version 3.3.7 as soon as a patched release is available (check the TGI repository/GitHub Advisory for the fix version). Until patched: disable or gate the multimodal chat completions endpoint if image_url input isn't required; place TGI behind an egress-filtering proxy or firewall rule that blocks outbound requests to RFC1918 ranges, loopback, and link-local addresses (169.254.0.0/16 and IPv6 equivalents); enforce IMDSv2 with a hop limit of 1 on cloud instances/containers running TGI so that even a successful SSRF cannot retrieve metadata credentials; apply Kubernetes NetworkPolicies or security groups restricting TGI's outbound connectivity to only required endpoints. For detection, monitor TGI server logs and egress network flows for GET requests to internal IP ranges or metadata service addresses, which is a strong indicator of exploitation attempts.

What systems are affected by CVE-2026-63086?

This vulnerability affects the following AI/ML architecture patterns: model serving, agent frameworks, RAG pipelines.

What is the CVSS score for CVE-2026-63086?

CVE-2026-63086 has a CVSS v3.1 base score of 8.6 (HIGH).

What is the AI security impact?

Affected AI Architectures

model servingagent frameworksRAG pipelines

MITRE ATLAS Techniques

AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0075 Cloud Service Discovery

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: Annex A.6.2
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

text-generation-inference through 3.3.7 contains a server-side request forgery (SSRF) vulnerability in the OpenAI-compatible multimodal chat completions endpoint that allows unauthenticated network attackers to coerce the server into issuing arbitrary HTTP GET requests by supplying a crafted image_url value in chat message content. The fetch_image function in router/src/validation.rs performs no validation of private, loopback, link-local, or cloud metadata target addresses, and the reqwest HTTP client follows redirects by default, enabling attackers to bypass scheme checks via redirect chains to reach internal services and cloud instance-metadata endpoints for internal port scanning and credential theft.

Exploitation Scenario

An unauthenticated external attacker sends a request to the organization's TGI-hosted OpenAI-compatible chat completions endpoint with message content containing an image_url set to a cloud metadata address such as http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>. Because fetch_image() in router/src/validation.rs performs no SSRF filtering and the reqwest client follows redirects by default, TGI's server-side process issues the GET request on the attacker's behalf, and the fetched content (potentially including temporary IAM credentials) flows back into the response the attacker receives. The attacker then uses those stolen credentials to pivot into other cloud resources, or reuses the same SSRF primitive to port-scan the internal network and reach admin panels or services normally inaccessible from outside the TGI host.

Weaknesses (CWE)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Timeline

Published
July 16, 2026
Last Modified
July 16, 2026
First Seen
July 16, 2026

Related Vulnerabilities