Information Disclosure in curl_cffi Python Binding from Lexiforest
CVE-2026-33752

8.6HIGH

Key Information:

Vendor: Lexiforest
Status: Curl Cffi
Vendor: CVE Published:; 6 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-33752?

The curl_cffi library, a Python binding for the curl command line tool, has a security oversight in versions prior to 0.15.0 that allows unrestricted requests to internal IP addresses and services. This flaw can lead to attackers exploiting the redirection feature, enabling them to potentially access sensitive cloud metadata endpoints. Additionally, the TLS impersonation capability of curl_cffi can make malicious requests blend in with authentic browser traffic, posing a significant risk to network security by circumventing established control measures.

Affected Version(s)

curl_cffi < 0.15.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-33752
Created by redyank

References

https://github.com/lexiforest/curl_cffi/security/advisori...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
🟡
Public PoC available
Apr 3, 2026
👾
Exploit known to exist
Apr 3, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33752 Data

JSON