๐Ÿ” CVE Alert

CVE-2026-15508

MEDIUM 6.3

Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery

CVSS Score
6.3
EPSS Score
0.3%
EPSS Percentile
25th

A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE CWE-918
Vendor helicone
Product ai-gateway
Published Jul 12, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for helicone ai-gateway

Be the first to know when new medium vulnerabilities affecting helicone ai-gateway are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

Helicone / ai-gateway
0.2.0-beta.0 0.2.0-beta.1 0.2.0-beta.2 0.2.0-beta.3 0.2.0-beta.4 0.2.0-beta.5 0.2.0-beta.6 0.2.0-beta.7 0.2.0-beta.8 0.2.0-beta.9 0.2.0-beta.10 0.2.0-beta.11 0.2.0-beta.12 0.2.0-beta.13 0.2.0-beta.14 0.2.0-beta.15 0.2.0-beta.16 0.2.0-beta.17 0.2.0-beta.18 0.2.0-beta.19 0.2.0-beta.20 0.2.0-beta.21 0.2.0-beta.22 0.2.0-beta.23 0.2.0-beta.24 0.2.0-beta.25 0.2.0-beta.26 0.2.0-beta.27 0.2.0-beta.28 0.2.0-beta.29 0.2.0-beta.30

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
vuldb.com: https://vuldb.com/vuln/377837 vuldb.com: https://vuldb.com/vuln/377837/cti vuldb.com: https://vuldb.com/cve/CVE-2026-15508 vuldb.com: https://vuldb.com/submit/845671 github.com: https://github.com/oscar2744/CVE-Submit/issues/1

Credits

๐Ÿ” havel8964 (VulDB User) VulDB CNA Team