平台
python
组件
lollms-webui
修复版本
8.0.1
A critical Server-Side Request Forgery (SSRF) vulnerability has been discovered in lollms-webui, the Web user interface for Lord of Large Language and Multi modal Systems. This vulnerability allows unauthenticated attackers to force the server to make arbitrary GET requests, potentially leading to unauthorized access to internal resources. All known existing versions of lollms-webui (≤<= 8c5dcef63d847bb3d027ec74915d8fe4afd3014e) are affected, and no patched versions are currently available.
The SSRF vulnerability in lollms-webui poses a significant risk. Attackers can exploit the @router.post("/api/proxy") endpoint to craft malicious GET requests, effectively using the server as a proxy. This allows them to access internal services that are not directly exposed to the internet, scan the local network for vulnerable hosts, and potentially exfiltrate sensitive cloud metadata. For example, an attacker could retrieve AWS IAM tokens or GCP service account credentials, granting them privileged access to cloud resources. The blast radius extends to any internal services accessible via HTTP/HTTPS, making this a high-impact vulnerability.
This vulnerability was published on 2026-03-24. No exploitation campaigns are currently known, but the ease of exploitation and the potential for significant data compromise suggest a high likelihood of exploitation. The vulnerability is not currently listed on KEV or EPSS, but its critical CVSS score warrants immediate attention. Public proof-of-concept (POC) code is likely to emerge, further increasing the risk.
漏洞利用状态
EPSS
0.06% (18% 百分位)
CISA SSVC
CVSS 向量
Given the lack of a patched version, immediate mitigation is crucial. Implement a Web Application Firewall (WAF) or reverse proxy with strict outbound request filtering rules to block requests to unauthorized domains and ports. Specifically, block any requests originating from the /api/proxy endpoint. Consider isolating the lollms-webui instance within a tightly controlled network segment to limit the potential impact of a successful exploitation. Regularly monitor network traffic for suspicious outbound requests. While a direct fix is unavailable, these measures can significantly reduce the attack surface.
No hay una versión corregida disponible al momento de la publicación. Se recomienda monitorear el repositorio de lollms-webui para actualizaciones y aplicar el parche tan pronto como esté disponible. Como medida de mitigación temporal, se puede restringir el acceso al endpoint /api/proxy o implementar validaciones estrictas de las URLs proxyadas.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-33340 describes a critical Server-Side Request Forgery (SSRF) vulnerability in lollms-webui, allowing attackers to make arbitrary requests through the server. This can lead to access of internal resources and cloud metadata. The vulnerability affects versions ≤<= 8c5dcef63d847bb3d027ec74915d8fe4afd3014e.
If you are running lollms-webui version ≤<= 8c5dcef63d847bb3d027ec74915d8fe4afd3014e, you are affected by this vulnerability. No patched versions are currently available.
As no patched version is available, mitigation involves implementing a WAF with outbound request filtering, isolating the instance, and monitoring network traffic. A direct fix is unavailable at this time.
While no active exploitation campaigns are currently known, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the official lollms-webui project repository and security mailing lists for updates and advisories related to CVE-2026-33340.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 requirements.txt 文件,立即知道是否受影响。