CVE-2026-33340
Received Received - Intake
Critical SSRF in LoLLMs WEBUI Allows Internal Network Access

Publication date: 2026-03-24

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.post("/api/proxy")` endpoint allows unauthenticated attackers to force the server into making arbitrary GET requests. This can be exploited to access internal services, scan local networks, or exfiltrate sensitive cloud metadata (e.g., AWS/GCP IAM tokens). As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33340
EUVD
EUVD-2026-14928
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lollms lollms_web_ui *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33340 is a critical Server-Side Request Forgery (SSRF) vulnerability in the lollms-webui project, specifically in the `/api/proxy` endpoint. This endpoint allows unauthenticated attackers to make the server perform arbitrary GET requests to any URL without authentication or validation.

The vulnerability arises because the proxy function accepts a raw URL string from the user and directly uses it in an asynchronous HTTP GET request without checking the URL or the domain. This flaw enables attackers to access internal services, scan local networks, and exfiltrate sensitive cloud metadata such as AWS or GCP IAM tokens.

No patched versions are currently available, and the vulnerability has a high severity with a CVSS v3.1 base score of 9.1.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to internal services and local-only ports that are not exposed publicly.

  • Attackers can scan internal networks to discover other vulnerable systems or services.
  • Sensitive cloud metadata, such as AWS or GCP IAM tokens, can be exfiltrated by querying the cloud metadata endpoint.
  • Attackers can pivot within internal networks to probe databases, APIs, or management interfaces.
  • Local access controls can be bypassed by making requests to localhost or trusted internal services.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability can be detected by testing the `/api/proxy` endpoint of the lollms-webui server to see if it allows unauthenticated arbitrary GET requests. An attacker can attempt to make requests to internal services or cloud metadata endpoints through this proxy.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send a POST request to the `/api/proxy` endpoint with a JSON body containing a URL to an internal or sensitive resource, for example:'}, {'type': 'list_item', 'content': 'curl -X POST http://<lollms-webui-server>/api/proxy -H \'Content-Type: application/json\' -d \'{"url": "http://169.254.169.254/latest/meta-data/"}\''}, {'type': 'list_item', 'content': 'If the server responds with the content of the requested URL, it indicates the SSRF vulnerability is present.'}, {'type': 'list_item', 'content': 'Similarly, testing access to localhost or internal IPs can be done by changing the URL in the JSON payload to something like "http://127.0.0.1:8888/secret".'}] [1]

Mitigation Strategies

Immediate mitigation steps include implementing access control and restricting the URLs that the proxy endpoint can access.

  • Add authentication checks at the start of the proxy function to ensure only authorized clients can use it.
  • Implement domain whitelisting to restrict proxy requests to trusted domains only.
  • Block requests to private IP ranges such as 127.0.0.1, localhost, RFC 1918 ranges, and the cloud metadata IP 169.254.169.254.

As no patched versions are currently available, these mitigations must be applied manually in the code until an official fix is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33340. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart