Platform
rust
Component
activitypub_federation
Fixed in
0.7.1
0.7.0-beta.9
CVE-2026-33693 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the activitypub-federation-rust library. This flaw allows unauthenticated attackers to bypass SSRF protections, potentially granting access to localhost services on the target server. The vulnerability impacts versions prior to 0.7.0-beta.9, and a fix has been released in that version.
An attacker exploiting this SSRF vulnerability can manipulate the v4isinvalid() function to accept 0.0.0.0 as a valid IPv4 address. This bypasses the SSRF protection implemented to address CVE-2025-25194. Successfully exploiting this vulnerability allows an attacker to craft requests that target internal services running on the same host as the activitypub-federation-rust instance. This could lead to unauthorized access to sensitive data, configuration information, or even the ability to execute commands on the server, depending on the exposed services. The blast radius extends to any internal services accessible via localhost.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests a relatively low exploitation barrier. The vulnerability bypasses a previous fix (CVE-2025-25194), indicating potential for targeted exploitation.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33693 is to upgrade to version 0.7.0-beta.9 or later of the activitypub-federation-rust library. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter incoming requests and block those originating from 0.0.0.0. Additionally, review and restrict access to internal services accessible via localhost to minimize potential impact. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual outbound requests to localhost is recommended.
Update the `activitypub-federation-rust` library to version 0.7.0-beta.9 or higher. This version fixes the SSRF vulnerability by correctly validating the unspecified IPv4 address (0.0.0.0).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33693 is a Server-Side Request Forgery vulnerability in the activitypub-federation-rust library, allowing attackers to bypass SSRF protections and access internal services.
You are affected if you are using a version of activitypub-federation-rust prior to 0.7.0-beta.9.
Upgrade to version 0.7.0-beta.9 or later of the activitypub-federation-rust library. Consider WAF rules as a temporary mitigation.
There is no confirmed active exploitation at this time, but the vulnerability's nature suggests a potential for exploitation.
Refer to the project's repository or release notes for the official advisory regarding CVE-2026-33693.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.