CVE-2026-45568
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths
Description
## Summary Alice exposes a Python SDK `ProxyShare` with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to `urllib.parse.urljoin`, which replaces Alice's configured target host with Bob's host and returns the server-side response to Bob. ## Details The Python SDK proxy route accepts every path under the share: ```python @app.route('/', defaults={'path': ''}, methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS']) @app.route('/<path:path>', methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS']) def proxy(path): ``` It constructs the outbound URL with `urljoin` and then sends the request: ```python url = urllib.parse.urljoin(self.target, path) resp = requests.request( method=request.method, url=url, headers={key: value for (key, value) in request.headers if key.lower() not in HOP_BY_HOP_HEADERS}, data=request.get_data(), cookies=request.cookies, allow_redirects=False, stream=True, verify=self.verify_ssl ) ``` When `path` is `[http://127.0.0.1:19190/metadata`](http://127.0.0.1:19190/metadata%60), `urljoin(self.target, path)` returns `[http://127.0.0.1:19190/metadata`](http://127.0.0.1:19190/metadata%60). The proxy sends the request to Bob's chosen URL rather than Alice's target.
How to fix CVE-2026-45568
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2026-45568 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-45568.
Affected packages (1)
- >= 0.4.47, <= 1.1.11
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L |