CVE-2026-33340 Overview
A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in LoLLMs WEBUI, the web user interface for Lord of Large Language and Multi modal Systems. The vulnerability exists in the /api/proxy endpoint, which allows unauthenticated attackers to force the server into making arbitrary GET requests. This can be exploited to access internal services, scan local networks, or exfiltrate sensitive cloud metadata such as AWS or GCP IAM tokens.
Critical Impact
Unauthenticated attackers can leverage this SSRF vulnerability to access internal network services, cloud metadata endpoints, and potentially exfiltrate sensitive credentials including IAM tokens. No patched versions are currently available.
Affected Products
- LoLLMs WEBUI (all known existing versions)
- lollms-webui server component with /api/proxy endpoint
- Deployments exposed to network access without additional access controls
Discovery Timeline
- 2026-03-24 - CVE-2026-33340 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33340
Vulnerability Analysis
This SSRF vulnerability stems from missing authentication on the @router.post("/api/proxy") endpoint within the LoLLMs WEBUI application. The endpoint is designed to proxy HTTP requests but lacks proper access controls and input validation, allowing any unauthenticated user to submit arbitrary URLs for the server to fetch. The vulnerable code is located in lollms/server/endpoints/lollms_apps.py at lines 443-450.
The weakness is classified under CWE-306 (Missing Authentication for Critical Function), which accurately describes the root cause: a critical server-side function that should require authentication is exposed without any access controls.
Root Cause
The root cause of this vulnerability is the absence of authentication checks on the /api/proxy endpoint. The endpoint accepts POST requests containing target URLs and processes them without verifying the identity or authorization of the requester. Additionally, there appears to be insufficient URL validation to restrict requests to safe destinations, allowing attackers to target internal resources, localhost services, and cloud metadata endpoints.
Attack Vector
The attack vector is network-based, requiring no user interaction or prior authentication. An attacker can directly send crafted POST requests to the /api/proxy endpoint from any network location with access to the LoLLMs WEBUI server. The attack flow involves:
- The attacker identifies a LoLLMs WEBUI instance exposed on the network
- A malicious POST request is sent to the /api/proxy endpoint containing an internal URL target
- The server processes the request and initiates an HTTP GET request to the attacker-specified URL
- The response from the internal service is returned to the attacker, potentially exposing sensitive data
Common exploitation targets include cloud metadata services (e.g., http://169.254.169.254/latest/meta-data/), internal network services, and localhost-bound applications. For detailed technical information about the vulnerability, see the GitHub Security Advisory GHSA-mcwr-5469-pxj4 and the vulnerable code reference.
Detection Methods for CVE-2026-33340
Indicators of Compromise
- Unusual POST requests to /api/proxy endpoint from external IP addresses
- Server-initiated HTTP requests to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x) or localhost
- Requests targeting cloud metadata endpoints (169.254.169.254)
- Abnormal outbound traffic patterns from the LoLLMs WEBUI server
Detection Strategies
- Monitor web server access logs for POST requests to /api/proxy from unauthenticated or suspicious sources
- Implement network monitoring to detect the server making unexpected outbound HTTP requests to internal IP ranges
- Configure cloud provider logging to detect metadata service access from application servers
- Deploy web application firewall (WAF) rules to inspect and block suspicious proxy requests
Monitoring Recommendations
- Enable verbose logging on the LoLLMs WEBUI application to capture all proxy endpoint requests
- Set up alerts for outbound connections from the LoLLMs server to internal network ranges or metadata endpoints
- Monitor for reconnaissance activity such as sequential requests to common internal service ports
- Review cloud audit logs for unauthorized metadata API access patterns
How to Mitigate CVE-2026-33340
Immediate Actions Required
- Restrict network access to LoLLMs WEBUI instances using firewall rules to limit exposure to trusted networks only
- Implement a reverse proxy with authentication in front of the LoLLMs WEBUI to require credentials for all API endpoints
- Block outbound requests from the LoLLMs server to internal IP ranges and cloud metadata endpoints at the network level
- Consider taking the application offline if it cannot be adequately protected until a patch is available
Patch Information
As of the publication date, no patched versions of LoLLMs WEBUI are available to address this vulnerability. Organizations should monitor the GitHub Security Advisory for updates and patch releases from the maintainer.
Workarounds
- Deploy a web application firewall (WAF) rule to block or require authentication for requests to the /api/proxy endpoint
- Use network segmentation to isolate the LoLLMs WEBUI server from sensitive internal services
- Configure instance metadata service (IMDS) to use IMDSv2 with session tokens, reducing the impact of SSRF attacks in cloud environments
- Implement egress filtering to prevent the server from making arbitrary outbound connections
# Example: Block access to cloud metadata endpoint using iptables on the LoLLMs server
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# Example: Restrict access to the proxy endpoint using nginx
location /api/proxy {
deny all;
# Or require authentication
# auth_basic "Restricted Access";
# auth_basic_user_file /etc/nginx/.htpasswd;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
