CVE-2026-33682

Name of the Vulnerable Software and Affected Versions Streamlit versions prior to 1.54.0

Description Streamlit Open Source versions running on Windows hosts are affected by an unauthenticated Server-Side Request Forgery (SSRF) issue. This arises from insufficient validation of filesystem paths provided by an attacker. Specifically, within the ComponentRequestHandler, paths are resolved using os.path.realpath() or Path.resolve() without adequate validation. Supplying a malicious UNC path (e.g., attacker-controlled-hostshare) can cause the Streamlit server to initiate outbound SMB connections over port 445. During this process, NTLMv2 challenge-response credentials of the Windows user running the Streamlit process may be transmitted, potentially allowing an attacker to perform NTLM relay attacks against internal services or identify reachable SMB hosts through timing analysis. Server-Side Request Forgery (SSRF) is a web security flaw that allows an attacker to cause the server to make HTTP requests to an arbitrary domain of the attacker's choosing. NTLMv2 is a network authentication protocol used by Windows.

Recommendations Upgrade to Streamlit Open Source version 1.54.0 or later.