How is CVE-2026-45373 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker sends the crafted IPv6-literal URL across the internet or internal network to the CodeWhale agent. Authentication (not-required): No credentials or account are needed to deliver the malicious request to the affected service. Victim interaction (required): A user must perform an action (such as opening a crafted project, file, or link) that causes CodeWhale to issue the forged internal request. Attack complexity (info): Exploit conditions are straightforward and reliable; no race conditions or special memory layout are required to trigger the IPv6 bypass.

What is the impact of CVE-2026-45373?

Reads responses from internal HTTP services bound to loopback or private IPv6 addresses that are normally unreachable from outside the host. Exposes internal API endpoints, metadata services (such as cloud instance metadata), or administrative interfaces that assume network isolation as their only protection. Leaks sensitive data returned by those internal services, including credentials, tokens, or configuration details, depending on what the internal service responds with.

Back to search

HIGHCVE-2026-45373Published 2026-05-28Modified 2026-05-30CNA GitHub_M

CVE-2026-45373: CodeWhale: SSRF‌ IPV6 bypass

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in‌‌ URL‌ as http://[::1], the SSRF defenses do not work. This vulnerability is fixed in 0.8.26.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A server-side request forgery (SSRF) bypass affects CodeWhale, the DeepSeek and MiMo coding agent for the terminal, in versions before 0.8.26. The vulnerability is reachable over the network without authentication, but requires a victim to take an action; an attacker who tricks a user into triggering a crafted request can supply a raw IPv6 literal (such as http://[::1]) in a URL, bypassing the hostname-based SSRF defenses that would otherwise block requests to private addresses. Successful exploitation lets the attacker read responses from internal services that should be inaccessible from outside the host. Note: the description states a fix exists in 0.8.26, but no fix version has been formally published in the advisory record; HarborGuard is tracking the advisory for confirmed patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-45373 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle CodeWhale or its dependencies.

Available

Triage

Triage is available using the CVSS v3.1 score of 7.4 (HIGH), weighted against each customer organization's per-environment compliance policy, and routed to the appropriate team inbox within that org.

Available

Patch

Because no fix version has been formally confirmed in the upstream advisory record, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a confirmed upstream fix is published. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a pull request opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker sends the crafted IPv6-literal URL across the internet or internal network to the CodeWhale agent.
AuthenticationNot required
No credentials or account are needed to deliver the malicious request to the affected service.
Victim interactionRequired
A user must perform an action (such as opening a crafted project, file, or link) that causes CodeWhale to issue the forged internal request.
Attack complexityDetail
Exploit conditions are straightforward and reliable; no race conditions or special memory layout are required to trigger the IPv6 bypass.

Blast Radius

Reads responses from internal HTTP services bound to loopback or private IPv6 addresses that are normally unreachable from outside the host.
Exposes internal API endpoints, metadata services (such as cloud instance metadata), or administrative interfaces that assume network isolation as their only protection.
Leaks sensitive data returned by those internal services, including credentials, tokens, or configuration details, depending on what the internal service responds with.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the CVE-2026-45373 advisory is active, with re-evaluation on every ingest cycle so that a patched-image rebuild at the confirmed fix version becomes available the moment upstream publishes one. In the interim, compensating controls are worth considering: network-policy isolation that prevents the CodeWhale process from making outbound connections to loopback and private address ranges, egress filtering at the container or pod level to block requests to 169.254.0.0/16 and ::1, and feature-flag gating of any CodeWhale URL-fetching capability in environments where it is not strictly required. For customers with auto-remediation enabled, the moment a confirmed fix is published the pipeline will produce a rebuilt image, run regression tests, and open a pull request against affected workloads; customers without auto-remediation will see the patched rebuild flagged for manual promotion.

See how HarborGuard automates this

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Hmbown / CodeWhale
< 0.8.26

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

References