Intel

AIKIDO-2026-660340

drupal/ai_provider_openai is vulnerable to Server-side Request Forgery (SSRF)

Server-side Request Forgery (SSRF)CVE-2026-13233 Published Jun 25, 2026

50

Medium Risk

This Affects:

PHPdrupal/ai_provider_openai
0.0.1 - 1.1.0
Fixed in 1.1.1
1.2.0 - 1.2.1
Fixed in 1.2.2
Are you affected? Scan for Free

TL;DR

The Drupal OpenAI provider module is vulnerable to server-side request forgery (SSRF) due to insufficient sanitization of user-supplied URLs. This issue only affects sites where an attacker can modify the configured host URL and trigger AI-generated image requests.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

drupal/ai_provider_openai is vulnerable to Server-side Request Forgery (SSRF) in versions 0.0.1 - 1.1.0 and 1.2.0 - 1.2.1.

How to fix this

Upgrade the drupal/ai_provider_openai library to the patch version.