Vulnerability in WhisperX API FileService for Audio Content Analysis
CVE-2026-34981

5.8MEDIUM

Key Information:

Vendor

Pavelzbornik

Status
Whisperx-fastapi
Vendor
CVE Published:
6 April 2026

What is CVE-2026-34981?

The WhisperX API, which enhances and analyzes audio content, contains a vulnerability in its FileService.download_from_url() function. In versions 0.3.1 to 0.5.0, this function makes an HTTP request to a provided URL without validating it first. This lack of validation allows attackers to manipulate internal URLs by appending '.mp3' to them, posing a significant security threat. Additionally, the /speech-to-text-url endpoint is left unauthenticated, further exacerbating the risk. This vulnerability was promptly addressed in version 0.6.0.

Affected Version(s)

whisperX-FastAPI >= 0.3.1, < 0.6.0

References

https://github.com/pavelzbornik/whisperX-FastAPI/security...
x_refsource_CONFIRM
https://github.com/pavelzbornik/whisperX-FastAPI/issues/256
x_refsource_MISC
https://github.com/pavelzbornik/whisperX-FastAPI/commit/e...
x_refsource_MISC

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.