Unauthenticated Server-Side Request Forgery in Streamlit Open Source for Windows
CVE-2026-33682

4.7MEDIUM

Key Information:

Vendor

Streamlit

Status
Streamlit
Vendor
CVE Published:
26 March 2026

What is CVE-2026-33682?

Streamlit, a data-oriented application development framework for Python, has a vulnerability allowing unauthenticated Server-Side Request Forgery (SSRF) on Windows hosts. This issue results from insufficient validation of filesystem paths, allowing attackers to control the paths supplied to the application. Specifically, by leveraging malicious UNC paths, an attacker could trigger Streamlit to initiate outbound SMB connections on port 445. As a consequence, NTLMv2 challenge-response credentials may be transmitted from the Windows user running the Streamlit process, which can be exploited for NTLM relay attacks against internal services or to identify reachable SMB hosts via timing analysis. This vulnerability has been addressed in Streamlit Open Source version 1.54.0.

Affected Version(s)

streamlit < 1.54.0

References

https://github.com/streamlit/streamlit/security/advisorie...
x_refsource_CONFIRM
https://github.com/streamlit/streamlit/commit/23692ca70b2...
x_refsource_MISC
https://github.com/streamlit/streamlit/releases/tag/1.54.0
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.