Medium severity5.8NVD Advisory· Published Apr 20, 2026· Updated Apr 23, 2026

CVE-2026-25883

Description

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on the webhook URL, enabling Server-Side Request Forgery (SSRF). An authenticated attacker can set their webhook URL to target internal services (Redis, databases, admin panels), cloud metadata endpoints (AWS/GCP credential theft), and/or localhost services. Version 0.10.0-260419-1910 patches the issue.

Affected products

Vexa/Vexa
cpe:2.3:a:vexa:vexa:*:*:*:*:*:*:*:*
Range: <=0.10

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Vexa-ai/vexa/security/advisories/GHSA-fhr6-8hff-cvg4nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.377
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000