CVE-2026-45082
Description
Karakeep is a elf-hostable bookmark-everything app. A Server-Side Request Forgery (SSRF) protection bypass vulnerability was identified in versions prior to 0.32.0 affecting redirect-following processing components. Although the application implements protections intended to prevent requests toward internal/private network destinations, these protections could be bypassed through crafted HTTP redirect chains. By leveraging attacker-controlled redirects, an authenticated user could cause vulnerable application components to initiate requests toward internally reachable Docker network services accessible from the application environment. The issue affected multiple processing paths, including crawler-related functionality and video download processing flows. Version 0.32.0 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Karakeep before 0.32.0 allowed SSRF bypass via crafted HTTP redirect chains, enabling authenticated users to reach internal Docker services.
Vulnerability
A Server-Side Request Forgery (SSRF) protection bypass vulnerability was identified in Karakeep versions prior to 0.32.0, affecting redirect-following processing components. The application implements protections intended to prevent requests toward internal/private network destinations, but these protections could be bypassed through crafted HTTP redirect chains. By leveraging attacker-controlled redirects, an authenticated user could cause vulnerable application components to initiate requests toward internally reachable Docker network services accessible from the application environment. The issue affected multiple processing paths, including crawler-related functionality and video download processing flows. [1]
Exploitation
An authenticated attacker can craft a malicious request containing a URL that redirects to an internal Docker service (e.g., http://httpbin.org/redirect-to?url=http://meilisearch:7700/version). The initial URL undergoes SSRF validation, but redirect destinations are not consistently revalidated after redirect resolution. This allows the attacker to bypass protections and trigger requests toward internal services such as meilisearch:7700 or chrome:9222. The attack requires authentication and the ability to submit requests to vulnerable endpoints (e.g., bookmark creation or video download flows). [1]
Impact
Successful exploitation allows an authenticated attacker to trigger SSRF requests toward internal Docker network services, potentially enabling access to sensitive internal endpoints, service discovery, or further attacks within the containerized environment. The privilege level is that of an authenticated user, and the scope is limited to internally reachable services accessible from the application environment. [1]
Mitigation
Version 0.32.0 contains a patch that addresses the vulnerability by ensuring consistent revalidation of redirect destinations after redirect resolution. Users should upgrade to 0.32.0 or later. No workarounds are documented in the available references. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<0.32.0+ 1 more
- (no CPE)range: <0.32.0
- (no CPE)range: <0.32.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.