CVE-2026-42352: Python Ssrf Unvalidated Callback Url
HTTP request issued with a URL taken from a user-supplied object attribute (field name matching *url or *uri) without SSRF validation. An attacker who controls this value can supply an internal address (127.0.0.1, RFC-1918, 169.254.169.254 cloud metadata endpoint) to make the server issue arbitrary internal HTTP requests. Resolve the hostname and verify the
greprules fetch cve-2026-42352-python-ssrf-unvalidated-callback-url --engine opengrepDescription
HTTP request issued with a URL taken from a user-supplied object attribute (field name matching *url or *uri) without SSRF validation. An attacker who controls this value can supply an internal address (127.0.0.1, RFC-1918, 169.254.169.254 cloud metadata endpoint) to make the server issue arbitrary internal HTTP requests. Resolve the hostname and verify the
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.