CVE-2026-56285
HighCVSS 8.6Summary
A vulnerability in Nitter allows unauthenticated attackers to exploit the /video media proxy endpoint to send HTTP requests to any host reachable by the server, including cloud metadata services and internal network resources. The issue stems from missing validation of target URLs against Twitter/X domains and the use of a hardcoded default HMAC key.
Risk Assessment
An attacker can access sensitive data from cloud metadata services (e.g., cloud access keys) and other internal network resources, potentially leading to privilege escalation and infrastructure confidentiality breaches.
Recommendation
Immediately update Nitter to a version that includes a fix validating target URLs against allowed domains and using a secure, random HMAC key. If an update is not possible, restrict access to the /video endpoint via firewall or reverse proxy.
Original NVD description (English source)
Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.

