{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33693", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.932Z", "datePublished": "2026-03-27T00:03:35.946Z", "dateUpdated": "2026-03-30T11:51:10.425Z"}, "containers": {"cna": {"title": "Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35"}, {"name": "https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599", "tags": ["x_refsource_MISC"], "url": "https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599"}, {"name": "https://github.com/advisories/GHSA-7723-35v7-qcxw", "tags": ["x_refsource_MISC"], "url": "https://github.com/advisories/GHSA-7723-35v7-qcxw"}], "affected": [{"vendor": "LemmyNet", "product": "lemmy", "versions": [{"version": "< 0.7.0-beta.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:03:35.946Z"}, "descriptions": [{"lang": "en", "value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue."}], "source": {"advisory": "GHSA-q537-8fr5-cw35", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:50:59.456186Z", "id": "CVE-2026-33693", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:51:10.425Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33693", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T11:50:59.456186Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:51:06.736Z"}}], "cna": {"title": "Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()", "source": {"advisory": "GHSA-q537-8fr5-cw35", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "LemmyNet", "product": "lemmy", "versions": [{"status": "affected", "version": "< 0.7.0-beta.9"}]}], "references": [{"url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35", "name": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599", "name": "https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/advisories/GHSA-7723-35v7-qcxw", "name": "https://github.com/advisories/GHSA-7723-35v7-qcxw", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:03:35.946Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33693", "state": "PUBLISHED", "dateUpdated": "2026-03-30T11:51:10.425Z", "dateReserved": "2026-03-23T16:34:59.932Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T00:03:35.946Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue."}, {"lang": "es", "value": "Lemmy es un agregador de enlaces y un foro para el fediverso. Antes de la versi\u00f3n 0.7.0-beta.9, la funci\u00f3n `v4_is_invalid()` de `activitypub-federation-rust` (`src/utils.rs`) no comprueba si existe `Ipv4Addr::UNSPECIFIED` (0.0.0.0). Un atacante no autenticado que controle un dominio remoto puede apuntarlo a 0.0.0.0, eludir la protecci\u00f3n SSRF introducida por la correcci\u00f3n para CVE-2025-25194 (GHSA-7723-35v7-qcxw) y acceder a los servicios de localhost en el servidor de destino. La versi\u00f3n 0.7.0-beta.9 corrige el problema."}], "id": "CVE-2026-33693", "lastModified": "2026-04-28T21:14:50.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:18.983", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599"}, {"source": "security-advisories@github.com", "url": "https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35"}, {"source": "security-advisories@github.com", "url": "https://github.com/advisories/GHSA-7723-35v7-qcxw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.7.0-beta.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "lemmy", "source": "cna", "vendor": "LemmyNet"}, "product": "lemmy", "vendor": "lemmynet"}], "analysis": {"en": {"generated_at": "2026-03-27T06:25:48.782524+00:00", "value": {"mitigation_remediation": ["Apply Lemmy version 0.7.0\u2011beta.9 or later, which removes 0.0.0.0 from the whitelist.", "If an upgrade is delayed, block outbound traffic to 0.0.0.0 (and optionally 127.0.0.1) at the application or firewall level.", "Monitor domain resolution logs for attempts to resolve 0.0.0.0 and set alerts for unexpected patterns.", "Audit federation settings to restrict or whitelist only trusted domains where possible."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011side request forgery"}, "threat_synthesis": {"affected_systems": "Systems running LemmyNet's Lemmy platform with the activitypub\u2011federation\u2011rust component prior to version 0.7.0\u2011beta.9 are affected. The vulnerability resides specifically in the authentication\u2011ignoring v4_is_invalid() routine. Instances of the older Lemmy build that expose user\u2011controlled federation URLs to the library are at risk.", "description_and_impact": "An unauthenticated attacker can manipulate a remote domain used by Lemmy to resolve to the IP address 0.0.0.0. The v4_is_invalid() function in activitypub\u2011federation\u2011rust does not reject this unspecified address, bypassing previous SSRF protections. As a result, the server may issue HTTP requests to localhost services, exposing internal interfaces or metadata. This server\u2011side request forgery can lead to data disclosure, credential theft, or further lateral movement within the host.", "risk_and_exploitability": "CVSS score of 6.5 indicates a moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require control of a remote domain name resolved by the victim server. Once the SSRF bypass succeeds, the attacker can reach any localhost services, including administration interfaces and internal APIs, thereby expanding the attack surface. Administrators should consider this a low\u2011to\u2011moderate risk but treat it as urgent, given the ease of creating a malicious domain."}}}}, "created": "2026-03-27T08:31:16.500651+00:00", "updated": "2026-03-27T09:22:38.760487+00:00", "vendors": ["lemmynet", "lemmynet$PRODUCT$lemmy"]}