CVE-2026-8768 MEDIUM

CVE-2026-8768: vercel ai provider-utils download-blob.ts validateDownloadUrl server-side request forgery

Vendor Vercel
Product ai
Weakness CWE-918 · SSRF
Published May 17, 2026
Last update May 18, 2026
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Key dates

02Disclosure timeline

May 17, 2026 CVE published
May 18, 2026 Record updated