Vulnerability Details CVE-2026-22664
prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in Fal.ai media status polling that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack of URL validation to disclose the FAL_API_KEY in the Authorization header, enabling credential theft, internal network probing, and abuse of the victim's Fal.ai account.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.4%
CVSS Severity
CVSS v3 Score 7.7
References
Products affected by CVE-2026-22664
-
cpe:2.3:a:fka:prompts.chat:*