Description

The whisperX API is a tool for enhancing and analyzing audio content. From 0.3.1 to 0.5.0, FileService.download_from_url() in app/services/file_service.py calls requests.get(url) with zero URL validation. The file extension check occurs AFTER the HTTP request is already made, and can be bypassed by appending .mp3 to any internal URL. The /speech-to-text-url endpoint is unauthenticated. This vulnerability is fixed in 0.6.0.

INFO

Published Date :

2026-04-06T16:19:13.887Z

Last Modified :

2026-04-06T18:45:41.844Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34981 vulnerability.

Vendors Products
Pavelzbornik
  • Whisperx-fastapi
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34981.

URL Resource
https://github.com/pavelzbornik/whisperX-FastAPI/commit/ef78fe2001deede5354031e4200d41c6a7e8cbfc cve-icon cve-icon
https://github.com/pavelzbornik/whisperX-FastAPI/issues/256 cve-icon cve-icon
https://github.com/pavelzbornik/whisperX-FastAPI/security/advisories/GHSA-6rc7-r867-c635 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact