Server-Side Request Forgery in Repomix Affects Unauthenticated Users
CVE-2026-59702

9.2CRITICAL

Key Information:

Vendor

Repomix

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59702?

Repomix includes a security vulnerability rooted in the handling of requests at the POST /api/pack endpoint. This flaw permits unauthorized users to issue arbitrary outbound requests by exploiting the failure to properly validate various URL schemas, such as http://, https://, and file://. As a result, attackers can potentially access sensitive information from private network addresses, GCP metadata services, or local filesystem paths. This oversight poses significant risks, particularly for deployments where access controls are not strictly enforced.

Affected Version(s)

repomix 0

repomix 0 < 1.14.1

repomix 0

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.