Vulnerability  ·  2026-07-14

Helicone AI Gateway SSRF via AWS Metadata Service Path Handling

VulnerabilityMedium impactGlobalCVE-2026-15508
Helicone's ai-gateway, an LLM observability/routing gateway, contains an SSRF vulnerability in its AWS Metadata Service dispatcher component that lets a remote attacker manipulate the extracted_path_and_query argument to reach internal endpoints. A working exploit has been published.
AI gateways like Helicone sit in privileged network positions in front of LLM traffic, often on cloud compute with IAM roles attached; SSRF against the cloud metadata service is a well-known path to instance-role credential theft, which could then be used to pivot into the broader cloud environment hosting the AI infrastructure.
The build_target_url function in ai-gateway/src/dispatcher/service.rs (AWS Metadata Service component) fails to properly validate the extracted_path_and_query argument, allowing a remote attacker to manipulate request routing to reach the AWS instance metadata service or other internal/unintended endpoints (SSRF).
Helicone ai-gateway up to 0.2.0-beta.30
No vendor patch confirmed as of disclosure; the vendor did not respond to early disclosure. Restrict outbound network access from the ai-gateway host and disable/filter access to the cloud metadata endpoint (169.254.169.254) at the network layer as a compensating control.
NVD - CVE-2026-15508GitHub - CVE-Submit disclosure
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →