CVE-2026-33682

{"id": "CVE-2026-33682", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}]}, "published": "2026-03-26T22:16:30.880", "references": [{"url": "https://github.com/streamlit/streamlit/commit/23692ca70b2f2ac720c72d1feb4f190c9d6eed76", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/streamlit/streamlit/releases/tag/1.54.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/streamlit/streamlit/security/advisories/GHSA-7p48-42j8-8846", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Streamlit is a data oriented application development framework for python. Streamlit Open Source versions prior to 1.54.0 running on Windows hosts have an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The vulnerability arises from improper validation of attacker-supplied filesystem paths. In certain code paths, including within the `ComponentRequestHandler`, filesystem paths are resolved using `os.path.realpath()` or `Path.resolve()` before sufficient validation occurs. On Windows systems, supplying a malicious UNC path (e.g., `\\\\attacker-controlled-host\\share`) can cause the Streamlit server to initiate outbound SMB connections over port 445. When Windows attempts to authenticate to the remote SMB server, NTLMv2 challenge-response credentials of the Windows user running the Streamlit process may be transmitted. This behavior may allow an attacker to perform NTLM relay attacks against other internal services and/or identify internally reachable SMB hosts via timing analysis. The vulnerability has been fixed in Streamlit Open Source version 1.54.0."}, {"lang": "es", "value": "Streamlit es un framework de desarrollo de aplicaciones orientado a datos para python. Las versiones de Streamlit Open Source anteriores a la 1.54.0 ejecut\u00e1ndose en hosts Windows tienen una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) no autenticada. La vulnerabilidad surge de una validaci\u00f3n incorrecta de las rutas del sistema de archivos proporcionadas por el atacante. En ciertas rutas de c\u00f3digo, incluyendo dentro del 'ComponentRequestHandler', las rutas del sistema de archivos se resuelven usando 'os.path.realpath()' o 'Path.resolve()' antes de que ocurra una validaci\u00f3n suficiente. En sistemas Windows, proporcionar una ruta UNC maliciosa (por ejemplo, '\\\\attacker-controlled-host\\share') puede hacer que el servidor de Streamlit inicie conexiones SMB salientes a trav\u00e9s del puerto 445. Cuando Windows intenta autenticarse con el servidor SMB remoto, las credenciales de desaf\u00edo-respuesta NTLMv2 del usuario de Windows que ejecuta el proceso de Streamlit pueden ser transmitidas. Este comportamiento puede permitir a un atacante realizar ataques de retransmisi\u00f3n NTLM contra otros servicios internos y/o identificar hosts SMB accesibles internamente mediante an\u00e1lisis de tiempo. La vulnerabilidad ha sido corregida en la versi\u00f3n 1.54.0 de Streamlit Open Source."}], "lastModified": "2026-04-01T13:28:47.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:snowflake:streamlit:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "497DB8B7-82E6-4AB2-8D27-4C1F333C5D24", "versionEndExcluding": "1.54.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}