CVE-2026-56285 HIGH

CVE-2026-56285: Nitter - Server-Side Request Forgery in /video Media Proxy Endpoint

Vendor Zedeus
Product nitter
Weakness CWE-918 · SSRF
Published June 29, 2026
Last update June 29, 2026
View on NVD All CVEs

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.

Key dates

02Disclosure timeline

June 29, 2026 CVE published
June 29, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-41239 WordPress PowerPress Podcasting Plugin <= 11.0.6 is vulnerable to Server Side Request Forgery (SSRF) CVE-2026-42346 Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validation paths CVE-2021-41809 SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, allows requests from server. CVE-2026-0649 invoiceninja Migration Import Import.php copy server-side request forgery CVE-2026-39843 Plane has a Server-Side Request Forgery (SSRF) in Favicon Fetching