CVE-2026-15508

Summary

A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
Heliconeai-gateway0.2.0-beta.0affected
Heliconeai-gateway0.2.0-beta.1affected
Heliconeai-gateway0.2.0-beta.2affected
Heliconeai-gateway0.2.0-beta.3affected
Heliconeai-gateway0.2.0-beta.4affected
Heliconeai-gateway0.2.0-beta.5affected
Heliconeai-gateway0.2.0-beta.6affected
Heliconeai-gateway0.2.0-beta.7affected
Heliconeai-gateway0.2.0-beta.8affected
Heliconeai-gateway0.2.0-beta.9affected
Heliconeai-gateway0.2.0-beta.10affected
Heliconeai-gateway0.2.0-beta.11affected
Heliconeai-gateway0.2.0-beta.12affected
Heliconeai-gateway0.2.0-beta.13affected
Heliconeai-gateway0.2.0-beta.14affected
Heliconeai-gateway0.2.0-beta.15affected
Heliconeai-gateway0.2.0-beta.16affected
Heliconeai-gateway0.2.0-beta.17affected
Heliconeai-gateway0.2.0-beta.18affected
Heliconeai-gateway0.2.0-beta.19affected
Heliconeai-gateway0.2.0-beta.20affected
Heliconeai-gateway0.2.0-beta.21affected
Heliconeai-gateway0.2.0-beta.22affected
Heliconeai-gateway0.2.0-beta.23affected
Heliconeai-gateway0.2.0-beta.24affected
Heliconeai-gateway0.2.0-beta.25affected
Heliconeai-gateway0.2.0-beta.26affected
Heliconeai-gateway0.2.0-beta.27affected
Heliconeai-gateway0.2.0-beta.28affected
Heliconeai-gateway0.2.0-beta.29affected
Heliconeai-gateway0.2.0-beta.30affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

References