CVE-2026-58501
Received Received - Intake

Zeep Python SOAP Client External Entity Injection via WSDL/XSD

Vulnerability report for CVE-2026-58501, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbid_external is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fixed in version 4.3.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
mikael_ΓΆrn zeep to 4.3.3 (exc)
mikael_ΓΆrn zeep 4.3.3
mvantellingen python-zeep From 4.0.0 (inc) to 4.3.3 (exc)
mvantellingen python-zeep 4.3.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58501 is a Server-Side Request Forgery (SSRF) vulnerability in the python-zeep library versions 4.0.0 through 4.3.2.

The vulnerability occurs because the `Settings.forbid_external` option, which is intended to block remote fetching of WSDL/XSD documents via mechanisms like xsd:import, xsd:include, wsdl:import, or lxml entity/DTD resolution, was defined but not enforced.

As a result, even if `forbid_external` was set to True, the application could still fetch external HTTP or HTTPS URLs embedded in untrusted WSDL or XSD documents.

This allows attackers to coerce the application into making server-side requests to arbitrary internal or sensitive endpoints by embedding malicious import/include references.

The issue was fixed in version 4.3.3 where the `forbid_external` setting is properly enforced, raising an exception when disallowed external references are encountered.

Impact Analysis

This vulnerability can impact you by allowing attackers to exploit the python-zeep client to perform Server-Side Request Forgery (SSRF) attacks.

An attacker can embed malicious references in WSDL or XSD documents that cause your application to make unintended HTTP or HTTPS requests to arbitrary internal or external endpoints.

Such forced requests could expose sensitive internal services, lead to information disclosure, or be used as a pivot point for further attacks within your network.

Exploitation requires no privileges or user interaction, making it easier for attackers to leverage this vulnerability.

To mitigate this risk, you should upgrade to python-zeep version 4.3.3 or later and enable the `forbid_external=True` setting when processing untrusted documents.

Temporary workarounds include avoiding untrusted WSDL/XSD documents, vendoring schemas locally, restricting network egress, or using a custom transport to block disallowed URLs.

Detection Guidance

This vulnerability involves the python-zeep library fetching external HTTP/HTTPS resources via xsd:import, xsd:include, wsdl:import, or lxml entity/DTD resolution when processing WSDL or XSD documents. Detection can focus on monitoring network traffic for unexpected outbound HTTP/HTTPS requests initiated by applications using python-zeep versions 4.0.0 through 4.3.2.

You can detect potential exploitation by capturing and analyzing network traffic for unusual or unauthorized HTTP/HTTPS requests from your system. For example, using tcpdump or Wireshark to monitor outbound connections on ports 80 and 443.

  • tcpdump -i <interface> 'tcp dst port 80 or tcp dst port 443'
  • Use application-level logging to check if python-zeep is processing WSDL/XSD documents from untrusted sources.
  • Enable verbose or debug logging in your application to detect if external references are being fetched during SOAP client operations.

Additionally, reviewing your python environment for the installed version of zeep can help identify if you are running a vulnerable version.

  • pip show zeep
Mitigation Strategies

To mitigate this vulnerability, you should upgrade the python-zeep library to version 4.3.3 or later, where the `forbid_external` setting is properly enforced to block external resource fetching.

After upgrading, ensure that you enable the `forbid_external=True` setting when processing WSDL or XSD documents, especially if they come from untrusted sources.

  • Upgrade python-zeep to version 4.3.3 or later.
  • Set `forbid_external=True` in your zeep client settings.
  • Avoid processing untrusted WSDL/XSD documents.
  • Vendor or locally store WSDL/XSD schemas to prevent remote fetching.
  • Restrict network egress to block unauthorized outbound HTTP/HTTPS requests.
  • Use a custom transport layer in zeep to block disallowed URLs.
Compliance Impact

CVE-2026-58501 is a Server-Side Request Forgery (SSRF) vulnerability in the python-zeep library that allows attackers to coerce applications into making server-side requests to arbitrary internal or sensitive endpoints by embedding malicious import/include references in untrusted WSDL/XSD documents.

This vulnerability could potentially lead to unauthorized access or exposure of sensitive data if exploited, which may impact compliance with data protection regulations such as GDPR or HIPAA that require safeguarding sensitive information and preventing unauthorized data access.

Mitigations include upgrading to version 4.3.3 or later and enabling the `forbid_external` setting to block external resource fetching, thereby reducing the risk of SSRF attacks and helping maintain compliance with security requirements in these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58501. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart