CVE-2026-46526: Local Deep Research URL Validation SSRF Vulnerability (v<1.6.10)
Local Deep Research versions before 1.6.10 contain a Server-Side Request Forgery (SSRF) vulnerability caused by inconsistent URL validation logic. The application attempts to block malicious URLs using one parsing method but actually sends requests using a different method, creating a gap that attackers can exploit. An authenticated user can craft a specially formatted URL that passes the security checks but reaches an unintended internal or restricted server when the request is actually sent.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.0 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. The current project uses validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks. However, there are indeed differences in parsing between urlparse and the library that actually sends the request. For example, in safe_get, validate_url is first used to perform an SSRF check, and then requests.get is used to send the actual request. This vulnerability is fixed in 1.6.10.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from a mismatch between validation and execution: the validate_url function uses Python's urlparse to inspect and restrict the host portion of URLs, but the safe_get function then uses the requests library to send HTTP requests. These libraries parse URLs differently, particularly in handling edge cases and URL formatting variations. An attacker with valid credentials can construct a URL that appears safe to urlparse but is interpreted differently by requests, bypassing SSRF protections and allowing access to internal services, private IP ranges, or localhost resources that should be blocked.
Business impact
This vulnerability primarily affects organizations deploying Local Deep Research as an internal research tool or as part of a larger AI workflow. Authenticated users could potentially access internal APIs, databases, or services that should remain isolated from external requests. In multi-tenant or shared environments, this could facilitate lateral movement or data exfiltration. The requirement for valid credentials limits the immediate attack surface, but insider threats or compromised accounts amplify the risk. Organizations relying on network segmentation to protect backend services should treat this as a medium-priority remediation task.
Affected systems
Local Deep Research versions prior to 1.6.10 are affected. The vulnerability requires an authenticated user to trigger; it does not affect unauthenticated access. Any deployment using versions 1.6.9 or earlier should be considered vulnerable.
Exploitability
Exploitation requires valid authentication credentials to access the application, which moderates the overall risk. An attacker with a legitimate account or someone who has compromised credentials can craft malicious URLs to probe or interact with internal services. The attack does not require user interaction or social engineering beyond initial account compromise. The logical flaw is deterministic and likely stable across URL variations, making reliable exploitation feasible for a determined attacker who understands the parsing differences.
Remediation
Upgrade Local Deep Research to version 1.6.10 or later, which aligns URL validation and request logic. Organizations unable to upgrade immediately should implement network-level controls: restrict outbound HTTP/HTTPS from the application to known-safe destinations, isolate the application on a network segment with limited access to internal services, and audit logs for unexpected external or internal requests. Review user access controls to minimize the number of authenticated accounts.
Patch guidance
Apply the 1.6.10 release update to all deployments. Verify the patch is live by checking the application version in the UI or via API documentation. If using containerized deployments, rebuild and redeploy with the updated version tag. No configuration changes are required post-patch; the fix addresses the underlying validation logic.
Detection guidance
Monitor HTTP and HTTPS request logs from Local Deep Research for connections to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8) or localhost. Alert on any requests to unusual ports on internal services (e.g., port 6379 for Redis, port 27017 for MongoDB, port 3306 for MySQL). Inspect application logs for validation bypass attempts or errors related to URL parsing. In cloud environments, monitor for unexpected egress traffic or calls to metadata services (169.254.169.254). Correlate authentication logs with request patterns to identify suspicious user activity.
Why prioritize this
This is a medium-severity vulnerability suitable for planned patching within a standard release cycle (30–60 days). It requires authentication and does not directly cause data loss or system unavailability. However, it should not be deferred indefinitely: the simplicity of the exploit and the potential for lateral movement or data access justify prioritization over low-severity issues. Organizations with strict network segmentation may deprioritize further; those with looser internal network policies should accelerate deployment.
Risk score, explained
The CVSS 3.1 score of 5.0 (Medium) reflects: network-accessible attack vector (AV:N), low attack complexity (AC:L), requirement for low-privilege authentication (PR:L), no user interaction (UI:N), and scope change (S:C) enabling impact on resources beyond the application. Confidentiality impact is rated low (C:L) because the attack allows read access to internal services but not guaranteed large-scale data exfiltration. Integrity and availability are not affected. The score appropriately weighs the authentication barrier against the ability to bypass network controls.
Frequently asked questions
Does this vulnerability affect our Local Deep Research deployment if we do not expose it to untrusted networks?
Partially. Even on internal networks, a compromised employee account or insider with legitimate access can exploit this vulnerability. The authentication requirement does not eliminate risk if your environment has multiple users or if account credentials are ever compromised. Patching is still recommended.
What is the difference between the validate_url and requests.get parsing that causes this issue?
urlparse and the requests library can interpret URL components differently, particularly around non-standard port specifications, IPv6 notation, Unicode encoding, and special characters. An attacker can craft a URL that bypasses urlparse's host checks but is resolved differently when requests actually sends the HTTP request, such as routing to localhost or an internal IP instead of the intended safe destination.
If we patch to 1.6.10, do we need to update any configuration files?
No. The patch fixes the underlying validation logic in the application code. No manual configuration changes are required. Simply upgrade the version, restart the service, and verify it boots successfully.
Can this vulnerability be exploited without valid credentials?
No. The vulnerability requires an authenticated user to craft and submit a malicious URL. Unauthenticated attackers cannot trigger it directly. However, if your Local Deep Research instance has weak authentication, shared credentials, or is integrated with a single-sign-on system with overly permissive access policies, the practical barrier to exploitation is lower.
This analysis is based on the CVE description and CVSS scoring provided as of the publication date. Actual exploitability and impact may vary based on network architecture, authentication configuration, and deployment context. Always verify patch applicability against your vendor's official advisory before deploying. No proof-of-concept code or weaponized exploitation details are provided. Test patches in a non-production environment before rolling out to production. This information is provided for defensive security purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10052MEDIUMQuay SSRF in LDAP/SMTP Validation—Internal Network Reconnaissance Risk
- CVE-2026-10177MEDIUMSSRF in Aider-AI Aider 0.86.3 AWS Metadata Endpoint
- CVE-2026-10239MEDIUMJeecgBoot Server-Side Request Forgery (SSRF) in Word Editing Module
- CVE-2026-10240MEDIUMJeecgBoot SSRF Vulnerability in /airag/airagModel/test Endpoint
- CVE-2026-10241MEDIUMJimuReport SSRF in File Download Function – Patch to 3.9.2
- CVE-2026-10274MEDIUMServer-Side Request Forgery in aem-mcp-server
- CVE-2026-10276MEDIUMJenkins-server-mcp SSRF Vulnerability (0.1.0)
- CVE-2026-10517MEDIUMClair SSRF Vulnerability – Unfiltered HTTP Requests Leak Metadata