Server-Side Request Forgery Vulnerability in bigsk1 OpenAI Realtime UI
CVE-2026-5803

5.3MEDIUM

Key Information:

Vendor: Bigsk1
Status: Openai-realtime-ui
Vendor: CVE Published:; 8 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-5803?

A security flaw has been identified in the bigsk1 OpenAI Realtime UI affecting its API Proxy Endpoint, specifically within the server.js file. This vulnerability allows a remote attacker to exploit an unknown function by manipulating the argument Query, enabling server-side request forgery. The attack vector can be triggered remotely, posing significant risks. Continuous delivery with rolling releases means that affected or updated versions may not be specifically listed. A patch has been issued for this flaw, and it is highly recommended that users apply the relevant updates promptly to secure their environments.

Affected Version(s)

openai-realtime-ui 188ccde27fdf3d8fab8da81f3893468f53b2797c

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-5803 - Proof of Concept

References

https://vuldb.com/vuln/356242

vdb-entrytechnical-description

https://vuldb.com/vuln/356242/cti

signaturepermissions-required

https://vuldb.com/submit/786984

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 8, 2026
👾
Exploit known to exist
Apr 8, 2026
Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

BruceJin (VulDB User)

CVE-2026-5803 Data

JSON

Bigsk1