AI Threat Alert

CVE-2026-33682: Streamlit: SSRF leaks NTLMv2 creds via UNC path

GHSA-7p48-42j8-8846 MEDIUM
Published March 26, 2026
CISO Take

Windows-based Streamlit deployments below 1.54.0 allow adjacent-network attackers to harvest NTLMv2 credentials without authentication by submitting a crafted UNC path to the ComponentRequestHandler. Captured hashes enable NTLM relay attacks against other internal services, making this a lateral movement risk in enterprise ML environments. Patch to 1.54.0 immediately and block outbound SMB (port 445) from all Streamlit hosts as an interim control.

What is the risk?

CVSS 4.7 Medium understates real-world risk in enterprise environments where Streamlit runs on Windows desktops or servers hosting internal ML dashboards. The adjacent network requirement is trivially satisfied in flat corporate networks or shared data science platforms. NTLM relay is a well-understood, heavily tooled attack technique (Responder, Impacket ntlmrelayx) with high success rates against unpatched internal Windows services. Actual exploitability is constrained by adjacency and high attack complexity, but downstream impact on internal infrastructure can be significant if service accounts have broad privileges.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Streamlit pip < 1.54.0 1.54.0
44.5K OpenSSF 7.2 2.8K dependents Pushed 5d ago 8% patched ~0d to patch Full package profile →

Do you use Streamlit? You're affected.

Severity & Risk

CVSS 3.1
4.7 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 3% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Adjacent
AC High
PR None
UI None
S Changed
C Low
I Low
A None

What should I do?

6 steps

  1. Patch: Upgrade Streamlit to 1.54.0 or later immediately.

  2. Network control: Block outbound SMB (TCP/UDP 445) and NetBIOS (137-139) from all hosts running Streamlit.

  3. SMB signing: Enable mandatory SMB signing on all Windows hosts to neutralize NTLM relay attacks even if credentials are captured.

  4. Least privilege: Ensure Streamlit runs as a low-privileged local service account, not a domain account or local admin.

  5. Detection: Monitor for unexpected outbound port 445 connections from Streamlit hosts; alert on connections to unfamiliar internal IPs.

  6. NTLM hardening: Enforce Extended Protection for Authentication (EPA) and consider disabling NTLMv2 in favor of Kerberos where feasible.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Leakage Auth Bypass Framework AML.T0049 AML.T0055 AML.T0091 AML.T0106

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2 - AI System Design and Security Requirements
NIST AI RMF
MS-2.5 - AI System Security and Vulnerability Management
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-33682?

Windows-based Streamlit deployments below 1.54.0 allow adjacent-network attackers to harvest NTLMv2 credentials without authentication by submitting a crafted UNC path to the ComponentRequestHandler. Captured hashes enable NTLM relay attacks against other internal services, making this a lateral movement risk in enterprise ML environments. Patch to 1.54.0 immediately and block outbound SMB (port 445) from all Streamlit hosts as an interim control.

Is CVE-2026-33682 actively exploited?

No confirmed active exploitation of CVE-2026-33682 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33682?

1. Patch: Upgrade Streamlit to 1.54.0 or later immediately. 2. Network control: Block outbound SMB (TCP/UDP 445) and NetBIOS (137-139) from all hosts running Streamlit. 3. SMB signing: Enable mandatory SMB signing on all Windows hosts to neutralize NTLM relay attacks even if credentials are captured. 4. Least privilege: Ensure Streamlit runs as a low-privileged local service account, not a domain account or local admin. 5. Detection: Monitor for unexpected outbound port 445 connections from Streamlit hosts; alert on connections to unfamiliar internal IPs. 6. NTLM hardening: Enforce Extended Protection for Authentication (EPA) and consider disabling NTLMv2 in favor of Kerberos where feasible.

What systems are affected by CVE-2026-33682?

This vulnerability affects the following AI/ML architecture patterns: ML dashboards and demos, Internal data science platforms, Model serving UI, Prototype AI applications, ML pipeline monitoring tools.

What is the CVSS score for CVE-2026-33682?

CVE-2026-33682 has a CVSS v3.1 base score of 4.7 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

Streamlit is a data oriented application development framework for python. Streamlit Open Source versions prior to 1.54.0 running on Windows hosts have an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The vulnerability arises from improper validation of attacker-supplied filesystem paths. In certain code paths, including within the `ComponentRequestHandler`, filesystem paths are resolved using `os.path.realpath()` or `Path.resolve()` before sufficient validation occurs. On Windows systems, supplying a malicious UNC path (e.g., `\\attacker-controlled-host\share`) can cause the Streamlit server to initiate outbound SMB connections over port 445. When Windows attempts to authenticate to the remote SMB server, NTLMv2 challenge-response credentials of the Windows user running the Streamlit process may be transmitted. This behavior may allow an attacker to perform NTLM relay attacks against other internal services and/or identify internally reachable SMB hosts via timing analysis. The vulnerability has been fixed in Streamlit Open Source version 1.54.0.

Exploitation Scenario

An attacker with access to the same internal network segment as a Windows Streamlit server—e.g., a malicious insider, a compromised workstation, or an attacker who has already pivoted into the environment—sets up a rogue SMB server using Responder. They submit a crafted HTTP request to the Streamlit ComponentRequestHandler containing a UNC path (e.g., \\attacker-ip\share) as a filesystem parameter. Streamlit calls os.path.realpath() on the input before validation, causing the Windows host to initiate an SMB connection to the attacker's server. Windows performs NTLMv2 authentication, transmitting the credential hash of the Streamlit service account. The attacker captures the hash and relays it via Impacket's ntlmrelayx to authenticate against another internal service—Active Directory, SQL Server, or a file share—without knowing the plaintext password, achieving lateral movement across the ML infrastructure.

Weaknesses (CWE)

CWE-918 Primary CWE-918 Server-Side Request Forgery (SSRF) Primary

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

References

Timeline

Published
March 26, 2026
Last Modified
March 26, 2026
First Seen
March 26, 2026

Related Vulnerabilities

CRITICAL CVE-2024-41115 9.8

streamlit-geospatial: eval() injection enables RCE

Same package: streamlit
CRITICAL CVE-2024-41113 9.8

streamlit-geospatial: RCE via eval() in Timelapse page

Same package: streamlit
CRITICAL CVE-2024-41114 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41112 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41116 9.8

streamlit-geospatial: RCE via eval() injection

Same package: streamlit
Back to Threat Feed