LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint
traduction en cours…Plateforme
python
Composant
lollms-webui
Corrigé dans
8.0.1
A critical Server-Side Request Forgery (SSRF) vulnerability has been discovered in lollms-webui, the Web user interface for Lord of Large Language and Multi modal Systems. This vulnerability allows unauthenticated attackers to force the server to make arbitrary GET requests, potentially leading to unauthorized access to internal resources. All known existing versions of lollms-webui (≤<= 8c5dcef63d847bb3d027ec74915d8fe4afd3014e) are affected, and no patched versions are currently available.
Détecte cette CVE dans ton projet
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.
Impact et Scénarios d'Attaquetraduction en cours…
The SSRF vulnerability in lollms-webui poses a significant risk. Attackers can exploit the @router.post("/api/proxy") endpoint to craft malicious GET requests, effectively using the server as a proxy. This allows them to access internal services that are not directly exposed to the internet, scan the local network for vulnerable hosts, and potentially exfiltrate sensitive cloud metadata. For example, an attacker could retrieve AWS IAM tokens or GCP service account credentials, granting them privileged access to cloud resources. The blast radius extends to any internal services accessible via HTTP/HTTPS, making this a high-impact vulnerability.
Contexte d'Exploitationtraduction en cours…
This vulnerability was published on 2026-03-24. No exploitation campaigns are currently known, but the ease of exploitation and the potential for significant data compromise suggest a high likelihood of exploitation. The vulnerability is not currently listed on KEV or EPSS, but its critical CVSS score warrants immediate attention. Public proof-of-concept (POC) code is likely to emerge, further increasing the risk.
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.06% (percentile 18%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
Given the lack of a patched version, immediate mitigation is crucial. Implement a Web Application Firewall (WAF) or reverse proxy with strict outbound request filtering rules to block requests to unauthorized domains and ports. Specifically, block any requests originating from the /api/proxy endpoint. Consider isolating the lollms-webui instance within a tightly controlled network segment to limit the potential impact of a successful exploitation. Regularly monitor network traffic for suspicious outbound requests. While a direct fix is unavailable, these measures can significantly reduce the attack surface.
Comment corrigertraduction en cours…
No hay una versión corregida disponible al momento de la publicación. Se recomienda monitorear el repositorio de lollms-webui para actualizaciones y aplicar el parche tan pronto como esté disponible. Como medida de mitigación temporal, se puede restringir el acceso al endpoint /api/proxy o implementar validaciones estrictas de las URLs proxyadas.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2026-33340 — SSRF in lollms-webui?
CVE-2026-33340 describes a critical Server-Side Request Forgery (SSRF) vulnerability in lollms-webui, allowing attackers to make arbitrary requests through the server. This can lead to access of internal resources and cloud metadata. The vulnerability affects versions ≤<= 8c5dcef63d847bb3d027ec74915d8fe4afd3014e.
Am I affected by CVE-2026-33340 in lollms-webui?
If you are running lollms-webui version ≤<= 8c5dcef63d847bb3d027ec74915d8fe4afd3014e, you are affected by this vulnerability. No patched versions are currently available.
How do I fix CVE-2026-33340 in lollms-webui?
As no patched version is available, mitigation involves implementing a WAF with outbound request filtering, isolating the instance, and monitoring network traffic. A direct fix is unavailable at this time.
Is CVE-2026-33340 being actively exploited?
While no active exploitation campaigns are currently known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation.
Where can I find the official lollms-webui advisory for CVE-2026-33340?
Refer to the official lollms-webui project repository and security mailing lists for updates and advisories related to CVE-2026-33340.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.