CVE-2026-33340
Critical SSRF in LoLLMs WEBUI Allows Internal Network Access
Publication date: 2026-03-24
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lollms | lollms_web_ui | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33340 is a critical Server-Side Request Forgery (SSRF) vulnerability in the lollms-webui project, specifically in the `/api/proxy` endpoint. This endpoint allows unauthenticated attackers to make the server perform arbitrary GET requests to any URL without authentication or validation.
The vulnerability arises because the proxy function accepts a raw URL string from the user and directly uses it in an asynchronous HTTP GET request without checking the URL or the domain. This flaw enables attackers to access internal services, scan local networks, and exfiltrate sensitive cloud metadata such as AWS or GCP IAM tokens.
No patched versions are currently available, and the vulnerability has a high severity with a CVSS v3.1 base score of 9.1.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to internal services and local-only ports that are not exposed publicly.
- Attackers can scan internal networks to discover other vulnerable systems or services.
- Sensitive cloud metadata, such as AWS or GCP IAM tokens, can be exfiltrated by querying the cloud metadata endpoint.
- Attackers can pivot within internal networks to probe databases, APIs, or management interfaces.
- Local access controls can be bypassed by making requests to localhost or trusted internal services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability can be detected by testing the `/api/proxy` endpoint of the lollms-webui server to see if it allows unauthenticated arbitrary GET requests. An attacker can attempt to make requests to internal services or cloud metadata endpoints through this proxy.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send a POST request to the `/api/proxy` endpoint with a JSON body containing a URL to an internal or sensitive resource, for example:'}, {'type': 'list_item', 'content': 'curl -X POST http://<lollms-webui-server>/api/proxy -H \'Content-Type: application/json\' -d \'{"url": "http://169.254.169.254/latest/meta-data/"}\''}, {'type': 'list_item', 'content': 'If the server responds with the content of the requested URL, it indicates the SSRF vulnerability is present.'}, {'type': 'list_item', 'content': 'Similarly, testing access to localhost or internal IPs can be done by changing the URL in the JSON payload to something like "http://127.0.0.1:8888/secret".'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing access control and restricting the URLs that the proxy endpoint can access.
- Add authentication checks at the start of the proxy function to ensure only authorized clients can use it.
- Implement domain whitelisting to restrict proxy requests to trusted domains only.
- Block requests to private IP ranges such as 127.0.0.1, localhost, RFC 1918 ranges, and the cloud metadata IP 169.254.169.254.
As no patched versions are currently available, these mitigations must be applied manually in the code until an official fix is released.