Home / Vulnerability Intelligence / CVE-2026-33693

CVE-2026-33693 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: March 27, 2026

Lemmy - Server Side Request Forgery

Published: March 27, 2026Updated: March 27, 2026PoC AvailableRemote Exploitable

Overview

Lemmy < 0.7.0-beta.9 contains a server-side request forgery caused by missing check for Ipv4Addr::UNSPECIFIED (0.0.0.0) in v4_is_invalid() function, letting unauthenticated remote attackers bypass SSRF protection and access localhost services.

Severity & Score

Severity: Medium

CVSS Score: 6.5

Impact

Unauthenticated attackers can bypass SSRF protections to access internal localhost services, potentially exposing sensitive internal resources.

Mitigation

Update to version 0.7.0-beta.9 or later.

References

https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599
https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35
https://github.com/advisories/GHSA-7723-35v7-qcxw

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33693
Severity: Medium
CVSS Score: 6.5
Type: server_side_request_forgery
Status: new

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N