CVE-2026-33752 HIGH

CVE-2026-33752: Redirect-based SSRF leading to internal network access in curl_cffi (with TLS impersonation bypass)

Vendor Lexiforest
Product curl_cffi
Weakness CWE-918 · SSRF
Published April 6, 2026
Last update April 6, 2026
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0.

Key dates

02Disclosure timeline

April 6, 2026 CVE published
April 6, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-3412 mymagicpower AIAS InferController.java server-side request forgery CVE-2026-40160 PraisonAIAgents has SSRF via unvalidated URL in `web_crawl` httpx fallback CVE-2024-13845 Gravity Forms WebHooks <= 1.6.0 - Authenticated (Admin+) Server-Side Request Forgery via Webhook CVE-2026-45400 Open WebUI: Server-Side Request Forgery (SSRF) bypass in `validate_url` CVE-2026-33351 AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass