CVE-2026-34981

Published: Apr 6, 2026Modified: Apr 27, 2026

5.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

The whisperX API is a tool for enhancing and analyzing audio content. From 0.3.1 to 0.5.0, FileService.download_from_url() in app/services/file_service.py calls requests.get(url) with zero URL validation. The file extension check occurs AFTER the HTTP request is already made, and can be bypassed by appending .mp3 to any internal URL. The /speech-to-text-url endpoint is unauthenticated. This vulnerability is fixed in 0.6.0.

Affected (1)

Products: Pavelzbornik: Whisperx Rest Api

1 product

Whisperx Rest Api

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pavelzbornik Whisperx Rest Api	From 0.3.1 to 0.6.0

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (3)

https://github.com/pavelzbornik/whisperX-FastAPI/commit/ef78fe2001deede5354031e4200d41c6a7e8cbfc

Source: security-advisories@github.com

Patch

https://github.com/pavelzbornik/whisperX-FastAPI/issues/256

Source: security-advisories@github.com

Issue TrackingPatch

https://github.com/pavelzbornik/whisperX-FastAPI/security/advisories/GHSA-6rc7-r867-c635

Source: security-advisories@github.com

Third Party AdvisoryExploitMitigation

Timeline

No history available yet.