CVE-2026-4964

letta-ai letta File URL message_helper.py _convert_message_create_to_message server-side request forgery

CVSS 5.3 MEDIUMEPSS 0.3%CWE-918

Vexday Risk Score

33Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 5.3EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

27 Mar 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

A security vulnerability has been detected in letta-ai letta 0.16.4. This vulnerability affects the function _convert_message_create_to_message of the file letta/helpers/message_helper.py of the component File URL Handler. Such manipulation of the argument ImageContent leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Affected products

letta-ai · letta

public PoCs found — 1

cve_referencegist.github.com/YLChen-007/fde4d5ed6ac4aa876f73f8954c6214daunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://gist.github.com/YLChen-007/fde4d5ed6ac4aa876f73f8954c6214da https://vuldb.com/?ctiid.353841 https://vuldb.com/?id.353841 https://vuldb.com/?submit.777645