CVE-2026-33340

Critical CVSS: 9.1

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.post("/api/proxy")` endpoint allows unauthenticated attackers to force the server into making arbitrary GET requests. This can be exploited to access internal services, scan local networks, or exfiltrate sensitive cloud metadata (e.g., AWS/GCP IAM tokens). As of time of publication, no known patched versions are available.

Vendor

Product

CWE

CWE-306

Yayın Tarihi

2026-03-24 17:16:44

Güncelleme

2026-03-25 15:41:58

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-306 CRITICAL 2026

Referanslar

https://github.com/ParisNeo/lollms-webui/blob/8c5dcef63d847bb3d027ec74915d8fe4afd3014e/lollms/server/endpoints/lollms_apps.py#L443-L450 https://github.com/ParisNeo/lollms-webui/security/advisories/GHSA-mcwr-5469-pxj4 https://github.com/ParisNeo/lollms-webui/security/advisories/GHSA-mcwr-5469-pxj4