Description

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in Fal.ai media status polling that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack of URL validation to disclose the FAL_API_KEY in the Authorization header, enabling credential theft, internal network probing, and abuse of the victim's Fal.ai account.

INFO

Published Date :

2026-04-03T20:27:48.247Z

Last Modified :

2026-04-07T14:19:51.012Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22664 vulnerability.

Vendors Products
F
  • Prompts.chat
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22664.

URL Resource
https://gist.github.com/mdisec/27c0cac0ec6a8f3c8f85a18987ddb942 cve-icon cve-icon cve-icon
https://github.com/f/prompts.chat/commit/30a8f0470e0ba45e6be9c9f55220f4a9a6b91c99 cve-icon cve-icon
https://www.vulncheck.com/advisories/prompts-chat-ssrf-via-fal-ai-media-status-polling cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact