Server-Side Request Forgery in web3.py by Ethereum
CVE-2026-40072

1.7LOW

Key Information:

Vendor: Ethereum
Status: Web3.py
Vendor: CVE Published:; 9 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-40072?

web3.py, a Python library for interacting with the Ethereum blockchain, is susceptible to Server-Side Request Forgery (SSRF) due to improper validation of URLs supplied by smart contracts via the offchain_lookup_payload. The library allows these URLs to be processed directly without validation, enabling malicious actors to direct HTTP requests to arbitrary destinations, including internal resources and cloud metadata services. This vulnerability, which is enabled by default, undermines the security of applications relying on web3.py, particularly in backend environments. It is crucial for users to upgrade to fixed versions 7.15.0 or higher and 8.0.0b2 to mitigate this risk.

Affected Version(s)

web3.py >= 6.0.0b3, < 7.15.0 < 6.0.0b3, 7.15.0

web3.py >= 8.0.0b1, < 8.0.0b2 < 8.0.0b1, 8.0.0b2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2026-40072-ssrf-lab
Created by u1tr0nex

References

https://github.com/ethereum/web3.py/security/advisories/G...

x_refsource_CONFIRM

https://github.com/ethereum/web3.py/commit/b1c57bb0a12435...

x_refsource_MISC

CVSS V4

Score:

1.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 5, 2026
👾
Exploit known to exist
Jun 5, 2026
Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40072 Data

JSON