A vulnerability was found in Helicone ai-gateway up to 0.2.0-beta.30 and classified as critical. This affects the function
build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery.
This vulnerability is handled as CVE-2026-15508. The attack can be executed remotely. Additionally, an exploit exists.
The vendor was contacted early about this disclosure but did not respond in any way.