CVE-2026-33340: LoLLMs WEBUI SSRF Vulnerability

CVE-2026-33340 Overview

A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in LoLLMs WEBUI, the web user interface for Lord of Large Language and Multi modal Systems. The vulnerability exists in the /api/proxy endpoint, which allows unauthenticated attackers to force the server into making arbitrary GET requests. This can be exploited to access internal services, scan local networks, or exfiltrate sensitive cloud metadata such as AWS or GCP IAM tokens.

Critical Impact

Unauthenticated attackers can leverage this SSRF vulnerability to access internal network services, cloud metadata endpoints, and potentially exfiltrate sensitive credentials including IAM tokens. No patched versions are currently available.

Affected Products

• LoLLMs WEBUI (all known existing versions)
• lollms-webui server component with /api/proxy endpoint
• Deployments exposed to network access without additional access controls

Discovery Timeline

• 2026-03-24 - CVE-2026-33340 published to NVD
• 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-33340

Vulnerability Analysis

This SSRF vulnerability stems from missing authentication on the @router.post("/api/proxy") endpoint within the LoLLMs WEBUI application. The endpoint is designed to proxy HTTP requests but lacks proper access controls and input validation, allowing any unauthenticated user to submit arbitrary URLs for the server to fetch. The vulnerable code is located in lollms/server/endpoints/lollms_apps.py at lines 443-450.

The weakness is classified under CWE-306 (Missing Authentication for Critical Function), which accurately describes the root cause: a critical server-side function that should require authentication is exposed without any access controls.

Root Cause

The root cause of this vulnerability is the absence of authentication checks on the /api/proxy endpoint. The endpoint accepts POST requests containing target URLs and processes them without verifying the identity or authorization of the requester. Additionally, there appears to be insufficient URL validation to restrict requests to safe destinations, allowing attackers to target internal resources, localhost services, and cloud metadata endpoints.

Attack Vector

The attack vector is network-based, requiring no user interaction or prior authentication. An attacker can directly send crafted POST requests to the /api/proxy endpoint from any network location with access to the LoLLMs WEBUI server. The attack flow involves:

1. The attacker identifies a LoLLMs WEBUI instance exposed on the network
2. A malicious POST request is sent to the /api/proxy endpoint containing an internal URL target
3. The server processes the request and initiates an HTTP GET request to the attacker-specified URL
4. The response from the internal service is returned to the attacker, potentially exposing sensitive data

Common exploitation targets include cloud metadata services (e.g., http://169.254.169.254/latest/meta-data/), internal network services, and localhost-bound applications. For detailed technical information about the vulnerability, see the GitHub Security Advisory GHSA-mcwr-5469-pxj4 and the vulnerable code reference.

Detection Methods for CVE-2026-33340

Indicators of Compromise

• Unusual POST requests to /api/proxy endpoint from external IP addresses
• Server-initiated HTTP requests to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x) or localhost
• Requests targeting cloud metadata endpoints (169.254.169.254)
• Abnormal outbound traffic patterns from the LoLLMs WEBUI server

Detection Strategies

• Monitor web server access logs for POST requests to /api/proxy from unauthenticated or suspicious sources
• Implement network monitoring to detect the server making unexpected outbound HTTP requests to internal IP ranges
• Configure cloud provider logging to detect metadata service access from application servers
• Deploy web application firewall (WAF) rules to inspect and block suspicious proxy requests

Monitoring Recommendations

• Enable verbose logging on the LoLLMs WEBUI application to capture all proxy endpoint requests
• Set up alerts for outbound connections from the LoLLMs server to internal network ranges or metadata endpoints
• Monitor for reconnaissance activity such as sequential requests to common internal service ports
• Review cloud audit logs for unauthorized metadata API access patterns

How to Mitigate CVE-2026-33340

Immediate Actions Required

• Restrict network access to LoLLMs WEBUI instances using firewall rules to limit exposure to trusted networks only
• Implement a reverse proxy with authentication in front of the LoLLMs WEBUI to require credentials for all API endpoints
• Block outbound requests from the LoLLMs server to internal IP ranges and cloud metadata endpoints at the network level
• Consider taking the application offline if it cannot be adequately protected until a patch is available

Patch Information

As of the publication date, no patched versions of LoLLMs WEBUI are available to address this vulnerability. Organizations should monitor the GitHub Security Advisory for updates and patch releases from the maintainer.

Workarounds

• Deploy a web application firewall (WAF) rule to block or require authentication for requests to the /api/proxy endpoint
• Use network segmentation to isolate the LoLLMs WEBUI server from sensitive internal services
• Configure instance metadata service (IMDS) to use IMDSv2 with session tokens, reducing the impact of SSRF attacks in cloud environments
• Implement egress filtering to prevent the server from making arbitrary outbound connections

# Example: Block access to cloud metadata endpoint using iptables on the LoLLMs server
iptables -A OUTPUT -d 169.254.169.254 -j DROP

# Example: Restrict access to the proxy endpoint using nginx
location /api/proxy {
    deny all;
    # Or require authentication
    # auth_basic "Restricted Access";
    # auth_basic_user_file /etc/nginx/.htpasswd;
}