Server-Side Request Forgery in Vexa Meeting Bot API
CVE-2026-25883

5.8MEDIUM

Key Information:

Vendor: Vexa-ai
Status: Vexa
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-25883?

The Vexa Meeting Bot API has a critical security flaw in its webhook feature that allows authenticated users to set an arbitrary URL for receiving HTTP POST requests upon meeting completion. Due to inadequate validation of the webhook URL, this vulnerability enables Server-Side Request Forgery (SSRF) attacks. An attacker can manipulate the webhook to target internal services, including databases, admin panels, and even exploit cloud metadata endpoints for credential theft. The issue is remediated in version 0.10.0-260419-1910.

Affected Version(s)

vexa < 0.10.0-260419-1910

References

https://github.com/Vexa-ai/vexa/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Feb 6, 2026

CVE-2026-25883 Data

JSON