CVE-2026-22664 HIGH

CVE-2026-22664: prompts.chat SSRF via Fal.ai Media Status Polling

Vendor F
Product prompts.chat
Weakness CWE-918 · SSRF
Published April 3, 2026
Last update May 26, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in the Fal.ai media status polling feature that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack of URL validation to disclose the FAL_API_KEY in the Authorization header, enabling credential theft, internal network probing, and abuse of the victim's Fal.ai account.

Key dates

02Disclosure timeline

April 3, 2026 CVE published
May 26, 2026 Record updated