プラットフォーム
python
コンポーネント
lollms-webui
修正版
8.0.1
A critical Server-Side Request Forgery (SSRF) vulnerability has been discovered in lollms-webui, the Web user interface for Lord of Large Language and Multi modal Systems. This vulnerability allows unauthenticated attackers to force the server to make arbitrary GET requests, potentially leading to unauthorized access to internal resources. All known existing versions of lollms-webui (≤<= 8c5dcef63d847bb3d027ec74915d8fe4afd3014e) are affected, and no patched versions are currently available.
The SSRF vulnerability in lollms-webui poses a significant risk. Attackers can exploit the @router.post("/api/proxy") endpoint to craft malicious GET requests, effectively using the server as a proxy. This allows them to access internal services that are not directly exposed to the internet, scan the local network for vulnerable hosts, and potentially exfiltrate sensitive cloud metadata. For example, an attacker could retrieve AWS IAM tokens or GCP service account credentials, granting them privileged access to cloud resources. The blast radius extends to any internal services accessible via HTTP/HTTPS, making this a high-impact vulnerability.
This vulnerability was published on 2026-03-24. No exploitation campaigns are currently known, but the ease of exploitation and the potential for significant data compromise suggest a high likelihood of exploitation. The vulnerability is not currently listed on KEV or EPSS, but its critical CVSS score warrants immediate attention. Public proof-of-concept (POC) code is likely to emerge, further increasing the risk.
エクスプロイト状況
EPSS
0.06% (18% パーセンタイル)
CISA SSVC
CVSS ベクトル
Given the lack of a patched version, immediate mitigation is crucial. Implement a Web Application Firewall (WAF) or reverse proxy with strict outbound request filtering rules to block requests to unauthorized domains and ports. Specifically, block any requests originating from the /api/proxy endpoint. Consider isolating the lollms-webui instance within a tightly controlled network segment to limit the potential impact of a successful exploitation. Regularly monitor network traffic for suspicious outbound requests. While a direct fix is unavailable, these measures can significantly reduce the attack surface.
No hay una versión corregida disponible al momento de la publicación. Se recomienda monitorear el repositorio de lollms-webui para actualizaciones y aplicar el parche tan pronto como esté disponible. Como medida de mitigación temporal, se puede restringir el acceso al endpoint /api/proxy o implementar validaciones estrictas de las URLs proxyadas.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33340 describes a critical Server-Side Request Forgery (SSRF) vulnerability in lollms-webui, allowing attackers to make arbitrary requests through the server. This can lead to access of internal resources and cloud metadata. The vulnerability affects versions ≤<= 8c5dcef63d847bb3d027ec74915d8fe4afd3014e.
If you are running lollms-webui version ≤<= 8c5dcef63d847bb3d027ec74915d8fe4afd3014e, you are affected by this vulnerability. No patched versions are currently available.
As no patched version is available, mitigation involves implementing a WAF with outbound request filtering, isolating the instance, and monitoring network traffic. A direct fix is unavailable at this time.
While no active exploitation campaigns are currently known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official lollms-webui project repository and security mailing lists for updates and advisories related to CVE-2026-33340.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。