MEDIUM 6.3

CVE-2026-10177: SSRF in Aider-AI Aider 0.86.3 AWS Metadata Endpoint

Aider-AI's Aider version 0.86.3 contains a server-side request forgery (SSRF) vulnerability in its AWS EC2 metadata endpoint handling. An authenticated attacker can exploit the requests.get function in api_docs.py to make the application fetch resources from arbitrary locations, potentially accessing sensitive internal services or metadata. The vulnerability is remotely exploitable and public disclosure has already occurred.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-918
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in Aider-AI Aider 0.86.3. This affects the function requests.get of the file api_docs.py of the component AWS EC2 Metadata Endpoint. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. It is suggested to install a patch to address this issue. The pull request to fix this issue awaits acceptance.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10177 is an SSRF vulnerability (CWE-918) in Aider 0.86.3 affecting the requests.get call within api_docs.py's AWS EC2 metadata endpoint component. The flaw allows authenticated users to manipulate HTTP request parameters, enabling the server to initiate connections to attacker-controlled or internal destinations. The CVSS 3.1 score of 6.3 reflects the requirement for authentication (PR:L) while acknowledging confidentiality, integrity, and availability impacts. Public exploit information is available, elevating real-world risk despite the MEDIUM severity rating.

Business impact

Organizations deploying Aider 0.86.3 face exposure of internal service metadata, potential lateral movement into AWS infrastructure, and exfiltration of sensitive configuration data. In multi-tenant or shared infrastructure environments, the SSRF could serve as a pivot point for attackers already possessing user credentials. The combination of public disclosure and available exploits accelerates time-to-compromise; patching delay directly increases breach probability in competitive threat landscapes.

Affected systems

Aider-AI Aider version 0.86.3 is confirmed affected. The vulnerability resides in the AWS EC2 metadata endpoint integration within api_docs.py. Organizations running this specific version with network access to AWS metadata services or other internal endpoints are at immediate risk. Earlier or later versions have not been explicitly listed as affected in available advisories; verify against Aider-AI's official security guidance for comprehensive version scope.

Exploitability

The vulnerability requires valid user authentication (PR:L per CVSS vector) but involves no complex attack chains. Network access is required, but the endpoint is likely exposed in typical Aider deployments. Public disclosure means exploit code or detailed technical walkthroughs are available, lowering the barrier for opportunistic attackers. The lack of user interaction (UI:N) means exploitation can be automated at scale once credentials are obtained through phishing or credential compromise.

Remediation

Aider-AI has prepared a patch via an open pull request; monitor the project repository for merge and release. Until an official patch is available, implement network-level segmentation to restrict outbound connections from Aider processes to only approved destinations. Disable or isolate the AWS EC2 metadata endpoint integration if not operationally required. Rotate any credentials or metadata potentially accessed through this vector. Enforce authentication controls and audit logs for unusual requests to api_docs.py endpoints.

Patch guidance

Verify the status of the pending pull request in the Aider-AI repository for availability of a patched release. When released, apply the patch as soon as feasible given the MEDIUM severity rating and public exploit availability. Test in a staging environment first to ensure compatibility with your Aider configuration and downstream integrations. If a patch is not yet released, plan an upgrade timeline aligned with the vendor's release schedule and prioritize based on your exposure to the AWS metadata endpoint.

Detection guidance

Monitor api_docs.py request logs for anomalous Host headers, unusual destination IPs in requests.get calls, or repeated 169.254.169.254 (AWS metadata) access patterns. Correlate authentication events with outbound connection attempts to internal services. Alert on requests containing SSRF payloads (e.g., localhost, 127.0.0.1, or cloud metadata IPs) from non-administrative users. Implement egress filtering rules to log and alert on Aider process connections to unexpected internal addresses or AWS metadata endpoints.

Why prioritize this

Although rated MEDIUM, this vulnerability merits prompt remediation due to public exploit availability, remote exploitability, and the sensitive nature of AWS metadata access. Authenticated attackers can quickly escalate exposure in environments with loose credential controls. The combination of disclosure timing and the infrastructure-critical nature of AWS metadata integration justifies treating this above standard MEDIUM priority in most environments.

Risk score, explained

The CVSS 3.1 score of 6.3 (MEDIUM) reflects partial confidentiality, integrity, and availability impacts, network accessibility, and low attack complexity—offset by the authentication requirement. However, in practical risk assessment, public exploit availability and the centrality of metadata endpoints to cloud infrastructure warrant internal risk scoring elevation. Organizations should factor in credential compromise likelihood, Aider's role in their architecture, and incident response maturity when setting patch timelines.

Frequently asked questions

Does this vulnerability affect all versions of Aider, or only 0.86.3?

Only version 0.86.3 is explicitly confirmed affected. Verify your running version immediately. Earlier versions may be unaffected, but later versions' status depends on when the patch is released and merged. Check Aider-AI's official advisory for the complete affected version range once the fix is available.

Is authentication required to exploit this vulnerability?

Yes. The CVSS vector shows PR:L, meaning valid user credentials are necessary. However, in environments with weak credential hygiene or high-volume phishing, obtaining authentication is often feasible. Do not treat the authentication requirement as complete protection.

What is the AWS EC2 metadata endpoint, and why is SSRF access to it dangerous?

The metadata endpoint (169.254.169.254) provides instance credentials, IAM role data, and environment configuration without authentication. If an attacker forces Aider to query it, they can steal active AWS credentials, leading to unauthorized cloud resource access, data exfiltration, or infrastructure compromise.

Should we stop using Aider until a patch is available?

Not necessarily, but implement compensating controls immediately: restrict outbound network access from Aider processes, segment your network so Aider cannot reach internal services or AWS metadata, enforce strong authentication, and monitor logs. Discontinue use only if these controls are infeasible and Aider processes untrusted inputs from external users.

This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. SEC.co does not guarantee the accuracy, completeness, or timeliness of this information. CVSS scores, version numbers, and KEV status reflect data current as of the publication date; verify against official vendor advisories before patching. No liability is assumed for decisions made based on this guidance. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).