SSRF Vulnerability in Lemmy's ActivityPub Federation Component
CVE-2026-33693

6.5MEDIUM

Key Information:

Vendor

Lemmynet

Status
Lemmy
Vendor
CVE Published:
27 March 2026

What is CVE-2026-33693?

A vulnerability in Lemmy's v4_is_invalid() function allows unauthenticated attackers to exploit a security oversight in the ActivityPub federation component. By directing a malicious domain to 0.0.0.0, attackers can bypass the Server-Side Request Forgery (SSRF) protections implemented after previous vulnerabilities, such as GHSA-7723-35v7-qcxw. This could enable access to sensitive services on the localhost of the target server. Users are strongly advised to update to version 0.7.0-beta.9 or later, where this vulnerability has been addressed.

Affected Version(s)

lemmy < 0.7.0-beta.9

References

https://github.com/LemmyNet/lemmy/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/LemmyNet/activitypub-federation-rust/c...
x_refsource_MISC
https://github.com/advisories/GHSA-7723-35v7-qcxw
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.