Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by Helicone
CVE-2026-15508 (GCVE-0-2026-15508)
Vulnerability from nvd – Published: 2026-07-12 22:15 – Updated: 2026-07-12 22:15
VLAI
EPSS
VEX
Title
Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery
Summary
A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377837 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377837/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15508 | third-party-advisory |
| https://vuldb.com/submit/845671 | third-party-advisory |
| https://github.com/oscar2744/CVE-Submit/issues/1 | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Helicone | ai-gateway |
Affected:
0.2.0-beta.0
Affected: 0.2.0-beta.1 Affected: 0.2.0-beta.2 Affected: 0.2.0-beta.3 Affected: 0.2.0-beta.4 Affected: 0.2.0-beta.5 Affected: 0.2.0-beta.6 Affected: 0.2.0-beta.7 Affected: 0.2.0-beta.8 Affected: 0.2.0-beta.9 Affected: 0.2.0-beta.10 Affected: 0.2.0-beta.11 Affected: 0.2.0-beta.12 Affected: 0.2.0-beta.13 Affected: 0.2.0-beta.14 Affected: 0.2.0-beta.15 Affected: 0.2.0-beta.16 Affected: 0.2.0-beta.17 Affected: 0.2.0-beta.18 Affected: 0.2.0-beta.19 Affected: 0.2.0-beta.20 Affected: 0.2.0-beta.21 Affected: 0.2.0-beta.22 Affected: 0.2.0-beta.23 Affected: 0.2.0-beta.24 Affected: 0.2.0-beta.25 Affected: 0.2.0-beta.26 Affected: 0.2.0-beta.27 Affected: 0.2.0-beta.28 Affected: 0.2.0-beta.29 Affected: 0.2.0-beta.30 cpe:2.3:a:helicone:ai-gateway:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:helicone:ai-gateway:*:*:*:*:*:*:*:*"
],
"modules": [
"AWS Metadata Service"
],
"product": "ai-gateway",
"vendor": "Helicone",
"versions": [
{
"status": "affected",
"version": "0.2.0-beta.0"
},
{
"status": "affected",
"version": "0.2.0-beta.1"
},
{
"status": "affected",
"version": "0.2.0-beta.2"
},
{
"status": "affected",
"version": "0.2.0-beta.3"
},
{
"status": "affected",
"version": "0.2.0-beta.4"
},
{
"status": "affected",
"version": "0.2.0-beta.5"
},
{
"status": "affected",
"version": "0.2.0-beta.6"
},
{
"status": "affected",
"version": "0.2.0-beta.7"
},
{
"status": "affected",
"version": "0.2.0-beta.8"
},
{
"status": "affected",
"version": "0.2.0-beta.9"
},
{
"status": "affected",
"version": "0.2.0-beta.10"
},
{
"status": "affected",
"version": "0.2.0-beta.11"
},
{
"status": "affected",
"version": "0.2.0-beta.12"
},
{
"status": "affected",
"version": "0.2.0-beta.13"
},
{
"status": "affected",
"version": "0.2.0-beta.14"
},
{
"status": "affected",
"version": "0.2.0-beta.15"
},
{
"status": "affected",
"version": "0.2.0-beta.16"
},
{
"status": "affected",
"version": "0.2.0-beta.17"
},
{
"status": "affected",
"version": "0.2.0-beta.18"
},
{
"status": "affected",
"version": "0.2.0-beta.19"
},
{
"status": "affected",
"version": "0.2.0-beta.20"
},
{
"status": "affected",
"version": "0.2.0-beta.21"
},
{
"status": "affected",
"version": "0.2.0-beta.22"
},
{
"status": "affected",
"version": "0.2.0-beta.23"
},
{
"status": "affected",
"version": "0.2.0-beta.24"
},
{
"status": "affected",
"version": "0.2.0-beta.25"
},
{
"status": "affected",
"version": "0.2.0-beta.26"
},
{
"status": "affected",
"version": "0.2.0-beta.27"
},
{
"status": "affected",
"version": "0.2.0-beta.28"
},
{
"status": "affected",
"version": "0.2.0-beta.29"
},
{
"status": "affected",
"version": "0.2.0-beta.30"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "havel8964 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-12T22:15:11.407Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377837 | Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377837"
},
{
"name": "VDB-377837 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377837/cti"
},
{
"name": "CVE-2026-15508 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15508"
},
{
"name": "Submit #845671 | GitHub Helicone ai-gateway v0.2.0-beta.30 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/845671"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/oscar2744/CVE-Submit/issues/1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-12T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-12T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-12T07:57:28.000Z",
"value": "VulDB entry last update"
}
],
"title": "Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15508",
"datePublished": "2026-07-12T22:15:11.407Z",
"dateReserved": "2026-07-12T05:52:24.844Z",
"dateUpdated": "2026-07-12T22:15:11.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15508 (GCVE-0-2026-15508)
Vulnerability from cvelistv5 – Published: 2026-07-12 22:15 – Updated: 2026-07-12 22:15
VLAI
EPSS
VEX
Title
Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery
Summary
A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/377837 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/377837/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-15508 | third-party-advisory |
| https://vuldb.com/submit/845671 | third-party-advisory |
| https://github.com/oscar2744/CVE-Submit/issues/1 | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Helicone | ai-gateway |
Affected:
0.2.0-beta.0
Affected: 0.2.0-beta.1 Affected: 0.2.0-beta.2 Affected: 0.2.0-beta.3 Affected: 0.2.0-beta.4 Affected: 0.2.0-beta.5 Affected: 0.2.0-beta.6 Affected: 0.2.0-beta.7 Affected: 0.2.0-beta.8 Affected: 0.2.0-beta.9 Affected: 0.2.0-beta.10 Affected: 0.2.0-beta.11 Affected: 0.2.0-beta.12 Affected: 0.2.0-beta.13 Affected: 0.2.0-beta.14 Affected: 0.2.0-beta.15 Affected: 0.2.0-beta.16 Affected: 0.2.0-beta.17 Affected: 0.2.0-beta.18 Affected: 0.2.0-beta.19 Affected: 0.2.0-beta.20 Affected: 0.2.0-beta.21 Affected: 0.2.0-beta.22 Affected: 0.2.0-beta.23 Affected: 0.2.0-beta.24 Affected: 0.2.0-beta.25 Affected: 0.2.0-beta.26 Affected: 0.2.0-beta.27 Affected: 0.2.0-beta.28 Affected: 0.2.0-beta.29 Affected: 0.2.0-beta.30 cpe:2.3:a:helicone:ai-gateway:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:helicone:ai-gateway:*:*:*:*:*:*:*:*"
],
"modules": [
"AWS Metadata Service"
],
"product": "ai-gateway",
"vendor": "Helicone",
"versions": [
{
"status": "affected",
"version": "0.2.0-beta.0"
},
{
"status": "affected",
"version": "0.2.0-beta.1"
},
{
"status": "affected",
"version": "0.2.0-beta.2"
},
{
"status": "affected",
"version": "0.2.0-beta.3"
},
{
"status": "affected",
"version": "0.2.0-beta.4"
},
{
"status": "affected",
"version": "0.2.0-beta.5"
},
{
"status": "affected",
"version": "0.2.0-beta.6"
},
{
"status": "affected",
"version": "0.2.0-beta.7"
},
{
"status": "affected",
"version": "0.2.0-beta.8"
},
{
"status": "affected",
"version": "0.2.0-beta.9"
},
{
"status": "affected",
"version": "0.2.0-beta.10"
},
{
"status": "affected",
"version": "0.2.0-beta.11"
},
{
"status": "affected",
"version": "0.2.0-beta.12"
},
{
"status": "affected",
"version": "0.2.0-beta.13"
},
{
"status": "affected",
"version": "0.2.0-beta.14"
},
{
"status": "affected",
"version": "0.2.0-beta.15"
},
{
"status": "affected",
"version": "0.2.0-beta.16"
},
{
"status": "affected",
"version": "0.2.0-beta.17"
},
{
"status": "affected",
"version": "0.2.0-beta.18"
},
{
"status": "affected",
"version": "0.2.0-beta.19"
},
{
"status": "affected",
"version": "0.2.0-beta.20"
},
{
"status": "affected",
"version": "0.2.0-beta.21"
},
{
"status": "affected",
"version": "0.2.0-beta.22"
},
{
"status": "affected",
"version": "0.2.0-beta.23"
},
{
"status": "affected",
"version": "0.2.0-beta.24"
},
{
"status": "affected",
"version": "0.2.0-beta.25"
},
{
"status": "affected",
"version": "0.2.0-beta.26"
},
{
"status": "affected",
"version": "0.2.0-beta.27"
},
{
"status": "affected",
"version": "0.2.0-beta.28"
},
{
"status": "affected",
"version": "0.2.0-beta.29"
},
{
"status": "affected",
"version": "0.2.0-beta.30"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "havel8964 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-12T22:15:11.407Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-377837 | Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/377837"
},
{
"name": "VDB-377837 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/377837/cti"
},
{
"name": "CVE-2026-15508 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-15508"
},
{
"name": "Submit #845671 | GitHub Helicone ai-gateway v0.2.0-beta.30 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/845671"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/oscar2744/CVE-Submit/issues/1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-12T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-12T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-12T07:57:28.000Z",
"value": "VulDB entry last update"
}
],
"title": "Helicone ai-gateway AWS Metadata Service service.rs build_target_url server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-15508",
"datePublished": "2026-07-12T22:15:11.407Z",
"dateReserved": "2026-07-12T05:52:24.844Z",
"dateUpdated": "2026-07-12T22:15:11.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}