How is CVE-2026-10107 exploited?

Network reachability (required): The attacker must reach the MoviePilot HTTP API over the network to call the image proxy endpoint. Authentication (required): A low-privilege account with a valid resource_token cookie is sufficient to invoke the vulnerable endpoint. Victim interaction (not-required): The attacker drives the request directly; no user has to click or open anything. Attack complexity (info): Attack complexity is low, but CVSS v4.0 marks an attack requirement (AT:P), meaning the attacker needs to know or guess a domain on the assembled allowlist to pass the is_safe_url check.

What is the impact of CVE-2026-10107?

Reads responses from internal HTTP services that the MoviePilot host can reach, including Jellyfin, Emby, and Plex admin and API surfaces. Enumerates internal network layout by probing private, loopback, and link-local addresses through the proxy. Exfiltrates data returned by those internal endpoints back to the authenticated attacker via the proxied response. Pivots scope beyond MoviePilot itself, since the SSRF reaches resources in the surrounding network segment (reflected in the CVSS v4.0 SC:H subsequent-system impact).

Back to search

HIGHCVE-2026-10107Published 2026-05-29Modified 2026-05-29CNA VulnCheck

CVE-2026-10107: MoviePilot v2 SSRF via /api/v1/system/img/{proxy} Endpoint

MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A server-side request forgery (SSRF) flaw in MoviePilot v2's /api/v1/system/img/{proxy} image proxy endpoint lets an authenticated attacker coax the server into fetching arbitrary URLs. The endpoint is reachable over the network and requires a low-privilege account with a valid resource_token cookie; the is_safe_url check only validates the domain against an assembled allowlist and never blocks private, loopback, or link-local targets. Successful exploitation enables enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources. No upstream fix has been published, and HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against MoviePilot images in customer registries and CI pipelines, including custom-built images derived from the affected versions.

Available

Triage

Triage is available with the CVSS v4.0 score of 7.0 (HIGH) applied automatically, then reweighted by each customer org's compliance policy and routed to the inbox configured for that environment.

Available

Patch

No fix version exists yet. HarborGuard re-checks the upstream advisory each ingest cycle and will make a patched-image rebuild available the moment a fixed MoviePilot release ships; for environments with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads are opened automatically once that fix lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MoviePilot HTTP API over the network to call the image proxy endpoint.
AuthenticationRequired
A low-privilege account with a valid resource_token cookie is sufficient to invoke the vulnerable endpoint.
Victim interactionNot required
The attacker drives the request directly; no user has to click or open anything.
Attack complexityDetail
Attack complexity is low, but CVSS v4.0 marks an attack requirement (AT:P), meaning the attacker needs to know or guess a domain on the assembled allowlist to pass the is_safe_url check.

Blast Radius

Reads responses from internal HTTP services that the MoviePilot host can reach, including Jellyfin, Emby, and Plex admin and API surfaces.
Enumerates internal network layout by probing private, loopback, and link-local addresses through the proxy.
Exfiltrates data returned by those internal endpoints back to the authenticated attacker via the proxied response.
Pivots scope beyond MoviePilot itself, since the SSRF reaches resources in the surrounding network segment (reflected in the CVSS v4.0 SC:H subsequent-system impact).

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the upstream MoviePilot advisory, with a patched-image rebuild made available automatically the moment a fix lands; customers who opt into auto-remediation then receive the rebuild, a regression run, and a PR opened against affected workloads. In the meantime, HarborGuard surfaces compensating-control guidance for affected environments: restrict egress from the MoviePilot container so it cannot reach internal service ranges (RFC1918, loopback, link-local, metadata endpoints), apply a NetworkPolicy that limits which backends the pod may call, rotate any resource_token values that may have been issued to untrusted users, and consider feature-flag gating the image proxy route at an upstream reverse proxy until a fixed release is published.

See how HarborGuard automates this

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

jxxghp / MoviePilot
≤ v2.13.2 · ≤ 0b7854a0af8751160b68c43c46ded48d2bd8a212

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

References