Server-Side Request Forgery in Nitter's Video Media Proxy Endpoint
CVE-2026-56285

7.7HIGH

Key Information:

Vendor: Zedeus
Status: Nitter
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-56285?

The Nitter video media proxy endpoint is susceptible to a Server-Side Request Forgery vulnerability due to improper validation of target URLs. This flaw permits unauthenticated attackers to craft valid HMACs for arbitrary URLs, potentially leading to the exposure of sensitive data from any accessible host, including cloud metadata services and internal resources. The vulnerability arises from the use of a hardcoded default HMAC key, which further exacerbates the risk by allowing unauthorized parties access to resources that should remain secure. Immediate action is required to safeguard against this security threat.

Affected Version(s)

nitter 0 < 44b2f096f67da2cc257a0e262a94a7ae79e95d47

References

https://github.com/zedeus/nitter/issues/1411

issue-tracking

https://github.com/zedeus/nitter/commit/44b2f096f67da2cc2...

patch

https://www.vulncheck.com/advisories/nitter-server-side-r...

third-party-advisory

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

George Chen

CVE-2026-56285 Data

JSON

Zedeus

What is CVE-2026-56285?

Affected Version(s)

References

CVSS V4

Timeline

Credit