CVE-2026-33682: Streamlit: SSRF leaks NTLMv2 creds via UNC path

GHSA-7p48-42j8-8846 MEDIUM
Published March 26, 2026
CISO Take

Windows-based Streamlit deployments below 1.54.0 allow adjacent-network attackers to harvest NTLMv2 credentials without authentication by submitting a crafted UNC path to the ComponentRequestHandler. Captured hashes enable NTLM relay attacks against other internal services, making this a lateral movement risk in enterprise ML environments. Patch to 1.54.0 immediately and block outbound SMB (port 445) from all Streamlit hosts as an interim control.

What is the risk?

CVSS 4.7 Medium understates real-world risk in enterprise environments where Streamlit runs on Windows desktops or servers hosting internal ML dashboards. The adjacent network requirement is trivially satisfied in flat corporate networks or shared data science platforms. NTLM relay is a well-understood, heavily tooled attack technique (Responder, Impacket ntlmrelayx) with high success rates against unpatched internal Windows services. Actual exploitability is constrained by adjacency and high attack complexity, but downstream impact on internal infrastructure can be significant if service accounts have broad privileges.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Streamlit pip < 1.54.0 1.54.0
45.1K OpenSSF 7.2 2.9K dependents Pushed 6d ago 7% patched ~0d to patch Full package profile →

Do you use Streamlit? You're affected.

How severe is it?

CVSS 3.1
4.7 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 20% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Adjacent
AC High
PR None
UI None
S Changed
C Low
I Low
A None

What should I do?

6 steps
  1. Patch: Upgrade Streamlit to 1.54.0 or later immediately.

  2. Network control: Block outbound SMB (TCP/UDP 445) and NetBIOS (137-139) from all hosts running Streamlit.

  3. SMB signing: Enable mandatory SMB signing on all Windows hosts to neutralize NTLM relay attacks even if credentials are captured.

  4. Least privilege: Ensure Streamlit runs as a low-privileged local service account, not a domain account or local admin.

  5. Detection: Monitor for unexpected outbound port 445 connections from Streamlit hosts; alert on connections to unfamiliar internal IPs.

  6. NTLM hardening: Enforce Extended Protection for Authentication (EPA) and consider disabling NTLMv2 in favor of Kerberos where feasible.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2 - AI System Design and Security Requirements
NIST AI RMF
MS-2.5 - AI System Security and Vulnerability Management
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-33682?

Windows-based Streamlit deployments below 1.54.0 allow adjacent-network attackers to harvest NTLMv2 credentials without authentication by submitting a crafted UNC path to the ComponentRequestHandler. Captured hashes enable NTLM relay attacks against other internal services, making this a lateral movement risk in enterprise ML environments. Patch to 1.54.0 immediately and block outbound SMB (port 445) from all Streamlit hosts as an interim control.

Is CVE-2026-33682 actively exploited?

No confirmed active exploitation of CVE-2026-33682 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33682?

1. Patch: Upgrade Streamlit to 1.54.0 or later immediately. 2. Network control: Block outbound SMB (TCP/UDP 445) and NetBIOS (137-139) from all hosts running Streamlit. 3. SMB signing: Enable mandatory SMB signing on all Windows hosts to neutralize NTLM relay attacks even if credentials are captured. 4. Least privilege: Ensure Streamlit runs as a low-privileged local service account, not a domain account or local admin. 5. Detection: Monitor for unexpected outbound port 445 connections from Streamlit hosts; alert on connections to unfamiliar internal IPs. 6. NTLM hardening: Enforce Extended Protection for Authentication (EPA) and consider disabling NTLMv2 in favor of Kerberos where feasible.

What systems are affected by CVE-2026-33682?

This vulnerability affects the following AI/ML architecture patterns: ML dashboards and demos, Internal data science platforms, Model serving UI, Prototype AI applications, ML pipeline monitoring tools.

What is the CVSS score for CVE-2026-33682?

CVE-2026-33682 has a CVSS v3.1 base score of 4.7 (MEDIUM). The EPSS exploitation probability is 0.28%.

What is the AI security impact?

Affected AI Architectures

ML dashboards and demosInternal data science platformsModel serving UIPrototype AI applicationsML pipeline monitoring tools

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0091 Use Alternate Authentication Material
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2
NIST AI RMF: MS-2.5
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

Streamlit is a data oriented application development framework for python. Streamlit Open Source versions prior to 1.54.0 running on Windows hosts have an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The vulnerability arises from improper validation of attacker-supplied filesystem paths. In certain code paths, including within the `ComponentRequestHandler`, filesystem paths are resolved using `os.path.realpath()` or `Path.resolve()` before sufficient validation occurs. On Windows systems, supplying a malicious UNC path (e.g., `\\attacker-controlled-host\share`) can cause the Streamlit server to initiate outbound SMB connections over port 445. When Windows attempts to authenticate to the remote SMB server, NTLMv2 challenge-response credentials of the Windows user running the Streamlit process may be transmitted. This behavior may allow an attacker to perform NTLM relay attacks against other internal services and/or identify internally reachable SMB hosts via timing analysis. The vulnerability has been fixed in Streamlit Open Source version 1.54.0.

Exploitation Scenario

An attacker with access to the same internal network segment as a Windows Streamlit server—e.g., a malicious insider, a compromised workstation, or an attacker who has already pivoted into the environment—sets up a rogue SMB server using Responder. They submit a crafted HTTP request to the Streamlit ComponentRequestHandler containing a UNC path (e.g., \\attacker-ip\share) as a filesystem parameter. Streamlit calls os.path.realpath() on the input before validation, causing the Windows host to initiate an SMB connection to the attacker's server. Windows performs NTLMv2 authentication, transmitting the credential hash of the Streamlit service account. The attacker captures the hash and relays it via Impacket's ntlmrelayx to authenticate against another internal service—Active Directory, SQL Server, or a file share—without knowing the plaintext password, achieving lateral movement across the ML infrastructure.

Weaknesses (CWE)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Timeline

Published
March 26, 2026
Last Modified
March 26, 2026
First Seen
March 26, 2026

Related Vulnerabilities