How is CVE-2026-45310 exploited?

Network reachability (required): The attacker must be able to reach the CodeWhale service over the network to supply a crafted URL to the fetch_url tool. Authentication (not-required): No credentials or account are needed to trigger the vulnerable fetch_url code path. Victim interaction (required): A user must invoke the fetch_url tool with an attacker-controlled URL, requiring some form of social engineering or malicious input delivery to that user. Attack complexity (info): Exploitation is reliable and condition-free once a malicious URL is submitted; no race conditions or special memory layout are required.

What is the impact of CVE-2026-45310?

An attacker reads responses from cloud instance metadata endpoints (for example, AWS IMDSv1 at 169.254.169.254), potentially obtaining temporary IAM credentials or instance identity documents. Internal HTTP services on private network ranges (RFC 1918 addresses) that are otherwise unreachable from the internet become readable by the attacker through the proxied redirect chain. No integrity impact: the vulnerability is limited to read access and does not grant the ability to modify data or execute commands on reachable internal services. Service availability is not directly affected; the exploit is a passive information-disclosure technique.

Back to search

HIGHCVE-2026-45310Published 2026-05-28Modified 2026-05-30CNA GitHub_M

CVE-2026-45310: CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections. This vulnerability is fixed in 0.8.22.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A server-side request forgery (SSRF) vulnerability exists in CodeWhale, the DeepSeek and MiMo coding agent for the terminal, specifically in its fetch_url tool. The tool validates the initial URL against an IP blocklist to block access to internal or cloud-metadata endpoints, but the underlying HTTP client (reqwest) follows up to 5 redirects without re-running that same validation, allowing an attacker to redirect requests to restricted internal addresses. Successful exploitation exposes confidential data such as cloud metadata credentials and internal service responses to the attacker. A patched-image rebuild at version 0.8.22 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-45310 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle CodeWhale.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.4 (High) and weighting it against each environment's compliance policy to determine urgency; triage routing to the appropriate team inbox within each customer org is available automatically based on those policy settings.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment version 0.8.22 or later is confirmed upstream. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the CodeWhale service over the network to supply a crafted URL to the fetch_url tool.
AuthenticationNot required
No credentials or account are needed to trigger the vulnerable fetch_url code path.
Victim interactionRequired
A user must invoke the fetch_url tool with an attacker-controlled URL, requiring some form of social engineering or malicious input delivery to that user.
Attack complexityDetail
Exploitation is reliable and condition-free once a malicious URL is submitted; no race conditions or special memory layout are required.

Blast Radius

An attacker reads responses from cloud instance metadata endpoints (for example, AWS IMDSv1 at 169.254.169.254), potentially obtaining temporary IAM credentials or instance identity documents.
Internal HTTP services on private network ranges (RFC 1918 addresses) that are otherwise unreachable from the internet become readable by the attacker through the proxied redirect chain.
No integrity impact: the vulnerability is limited to read access and does not grant the ability to modify data or execute commands on reachable internal services.
Service availability is not directly affected; the exploit is a passive information-disclosure technique.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version has been confirmed at this time, HarborGuard re-evaluates the advisory on every ingest cycle so that a patched-image rebuild becomes available automatically the moment version 0.8.22 is published. In the interim, compensating controls are worth considering: applying a network policy that restricts egress from containers running CodeWhale to known-safe external destinations, blocking outbound HTTP to link-local (169.254.0.0/16) and private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) ranges at the network layer, and disabling or gating the fetch_url feature via a feature flag until the patch is available. For customers who opt into auto-remediation, HarborGuard will trigger a rebuild, regression-test run, and PR against affected workloads as soon as the upstream fix is confirmed.

See how HarborGuard automates this

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Hmbown / CodeWhale
< 0.8.22

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

References