CVE-2026-45373: CodeWhale SSRF Vulnerability via IPv6 Bracket Notation
CodeWhale, a terminal-based coding agent that integrates DeepSeek and MiMo AI models, contains a server-side request forgery (SSRF) vulnerability in versions prior to 0.8.26. The vulnerability exists because SSRF validation checks fail when IPv6 addresses are specified using bracket notation (e.g., http://[::1]). An attacker can bypass the SSRF defenses by crafting URLs with IPv6 localhost or other restricted addresses in this format, potentially allowing unauthorized access to internal services or metadata endpoints that the CodeWhale process can reach from its host environment.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.4 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in URL as http://[::1], the SSRF defenses do not work. This vulnerability is fixed in 0.8.26.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CodeWhale implements SSRF protections that validate against hostnames resolving to private IPv6 addresses. However, the validation logic does not properly handle IPv6 addresses when they are formatted using the standard URL bracket notation (http://[::1]). This bypasses the hostname resolution check because the bracket-enclosed IPv6 literal is parsed differently than the expected validation logic accounts for. By sending requests to http://[::1] or similar private IPv6 addresses in bracket notation, an attacker circumvents the SSRF defenses and gains the ability to make arbitrary network requests from the CodeWhale process context. The vulnerability is classified under CWE-918 (Server-Side Request Forgery), indicating a failure in input validation or network access control. The vector indicates the attack requires network access, low complexity, no privileges, and user interaction, with impact scope change allowing potential access to confidential data.
Business impact
If CodeWhale is deployed in a cloud or containerized environment, or on a shared host, an attacker can exploit this to access internal APIs, cloud metadata services (AWS IMDSv1, Google Cloud metadata), or other sensitive internal services. This could lead to credential theft, configuration exposure, or lateral movement within the infrastructure. For development teams using CodeWhale as part of their CI/CD pipeline or local development workflow, this creates a supply-chain or insider risk if the tool is compromised or if malicious prompts are injected. The risk is elevated by the fact that CodeWhale runs in terminal environments where it may have broader network permissions than typical web applications.
Affected systems
CodeWhale versions prior to 0.8.26 are vulnerable. The vulnerability applies to any deployment of the tool on systems where the CodeWhale process has network access to internal services, cloud metadata endpoints, or other restricted resources. End users and development teams running CodeWhale locally or in CI/CD environments should prioritize assessment and patching. Since no vendor product listing was provided in the source data, affected deployments are those explicitly running the CodeWhale terminal agent.
Exploitability
Exploiting this vulnerability requires user interaction (the CVSS vector indicates UI:R), meaning an attacker would need to trick a CodeWhale user into making a request (e.g., through a crafted prompt or malicious configuration) that triggers the tool to fetch a URL with a bracketed IPv6 address. The attack does not require authentication or special privileges. The network-based attack vector and low complexity make it feasible for remote attackers if they can influence what URLs CodeWhale attempts to fetch. However, the requirement for user interaction provides some friction—exploitation is not fully automatic without social engineering or prompt injection.
Remediation
Upgrade CodeWhale to version 0.8.26 or later, which includes a fix for the IPv6 bracket notation SSRF bypass. Organizations should inventory all deployments of CodeWhale, particularly in CI/CD pipelines and development environments. After patching, validate that SSRF protections are functioning by testing with IPv6 localhost notation. If you cannot upgrade immediately, implement network segmentation to restrict the CodeWhale process's access to internal services and metadata endpoints using firewall rules or container network policies.
Patch guidance
Apply the upgrade to CodeWhale 0.8.26 or later. Verify the patch by checking the tool's version output (typically via a --version flag or similar). Since CodeWhale is a terminal agent, patches should be deployed to all machines, CI/CD runners, and containers where the tool is installed. Ensure any local caches or pinned versions in dependency management files (if applicable) are updated. Test in a non-production environment first to confirm the upgrade does not break existing workflows.
Detection guidance
Monitor for network requests from CodeWhale processes to private IPv6 addresses or localhost (::1, ::ffff:127.0.0.1) using URLs with bracket notation. Review proxy logs and host-level network monitoring for outbound requests from CodeWhale to unexpected internal services or cloud metadata endpoints. If you use endpoint detection and response (EDR) tools, create rules to flag network activity initiated by the CodeWhale process to restricted ranges. Inspect CodeWhale's command history or prompt logs if available to detect suspicious or unusual requests.
Why prioritize this
This vulnerability should be prioritized due to its HIGH severity (CVSS 7.4), potential for confidential data exposure, and the broad attack surface in modern development environments where CodeWhale may be deployed. The SSRF vulnerability class is well-understood and commonly exploited in supply-chain and infrastructure attacks. The requirement for user interaction provides moderate mitigation, but the ease of crafting a malicious prompt or configuration makes this a realistic threat. Immediate patching in production and sensitive development environments is recommended.
Risk score, explained
The CVSS 7.4 score reflects a HIGH severity vulnerability due to several factors: (1) Network-based attack vector with no authentication requirement, (2) Low attack complexity, (3) Potential for confidential information disclosure (C:H), and (4) Scope change, indicating the impact could extend beyond the vulnerable component to other systems accessible by CodeWhale. However, the score is not CRITICAL because exploitation requires user interaction and does not enable code execution or system availability impact directly on CodeWhale itself.
Frequently asked questions
Can this vulnerability be exploited remotely without any user action?
No. The CVSS vector indicates UI:R (User Interaction: Required), meaning an attacker must trick a CodeWhale user into making a request—for example, through a malicious prompt or configuration file—that triggers CodeWhale to fetch a URL with the bracketed IPv6 notation. The attack cannot be triggered purely from the network without some form of social engineering or prompt injection.
How does the IPv6 bracket notation bypass the SSRF defenses?
CodeWhale's SSRF validation checks whether a hostname resolves to private IPv6 addresses. However, when an IPv6 address is provided in URL format using bracket notation (http://[::1]), the validation logic does not properly parse or validate this format. The brackets are part of the standard URL RFC for IPv6 literals, but CodeWhale's check was written to validate resolved hostnames rather than literal IPv6 addresses in URL form, creating the bypass.
If CodeWhale is running on my local machine with no network access to sensitive services, am I at risk?
Your risk is lower but not zero. If CodeWhale is isolated and has no network path to internal services, cloud metadata endpoints, or other restricted resources, the practical impact of this SSRF is limited. However, if you share your machine with other users, run CodeWhale in a container with broader network access, or use it in a corporate network with accessible internal services, you should still patch to eliminate the attack surface.
What should I do if I cannot upgrade CodeWhale immediately?
Implement network-level controls: use a firewall or security group to restrict CodeWhale's outbound access to only the services it legitimately requires. In container environments, use network policies to isolate the CodeWhale container. Monitor network logs for suspicious requests to private IPv6 addresses or localhost. If CodeWhale is used in CI/CD, review and limit the permissions granted to the CI/CD runner. Schedule the upgrade as soon as feasible, as this is a known and publically disclosed vulnerability.
This analysis is based on the CVE-2026-45373 vulnerability description and CVSS scoring provided as of the published date. No exploit code or working proof-of-concept is presented. Organizations should verify patch availability and compatibility against the vendor advisory and their own environment configurations. The absence of KEV status does not indicate the vulnerability is not exploited in the wild; validate against current threat intelligence sources. This assessment assumes typical deployment scenarios; risk may vary based on network architecture, access controls, and specific use cases. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10068HIGHSSRF in Shibby Tomato 1.28 miniupnpd (Unmaintained)
- CVE-2026-10107HIGHMoviePilot v2 SSRF in Image Proxy Allows Internal Network Access
- CVE-2026-10280HIGHServer-Side Request Forgery in Horizon921 mcpilot 0.1.0
- CVE-2026-10287HIGHSSRF in SourceCodester SEO Meta Tag Extractor 1.0
- CVE-2026-10771HIGHCRMEB Java SSRF Vulnerability in QR Code Endpoint
- CVE-2026-42398HIGHKibana Webhook SSRF Vulnerability—Egress Allowlist Bypass
- CVE-2026-42965HIGHOpenShift Router SSRF via FQDN EndpointSlice
- CVE-2026-44285HIGHFastGPT SSRF Vulnerability in Dataset Preview Endpoint