Description
A vulnerability in `nltk.app.wordnet_app` up to version 3.9.3 allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when started in its default mode. The server listens on all interfaces and processes a specific unauthenticated GET request (`/SHUTDOWN%20THE%20SERVER`) to terminate the process immediately via `os._exit(0)`. This results in a denial of service, impacting service availability. The issue arises due to insufficient authentication and protection mechanisms for critical server functions.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The wordnet_app component of the NLTK library contains a flaw that allows an unauthenticated user to terminate the WordNet Browser HTTP server by requesting the special URL /SHUTDOWN THE SERVER. Because the request is accepted on all network interfaces and triggers os._exit(0), the server process is brought down immediately, causing a denial of service. This weakness arises from a missing security check (CWE‑306).

Affected Systems

The issue affects versions of the NLTK library (nltk/nltk) through 3.9.3. Users running any of these releases with the default WordNet Browser HTTP server configuration are vulnerable.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is classified as high severity. The EPSS score of less than 1 % suggests that exploitation is unlikely at present, and it is not listed in the CISA KEV catalog. Nonetheless, the attack can be launched remotely against any instance where the server is listening on an externally reachable interface; the attacker merely needs to send an unauthenticated GET request targeting /SHUTDOWN THE SERVER.

Generated by OpenCVE AI on June 17, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NLTK to a version that removes the vulnerability (e.g., 3.9.4 or newer).
  • If an upgrade is not possible, reconfigure the WordNet Browser to bind only to localhost (127.0.0.1) or disable the HTTP server entirely.
  • Apply network‑level controls such as firewall rules to block external access to the WordNet Browser HTTP listening port.

Generated by OpenCVE AI on June 17, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Nltk
Nltk nltk/nltk
Vendors & Products Nltk
Nltk nltk/nltk

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in `nltk.app.wordnet_app` up to version 3.9.3 allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when started in its default mode. The server listens on all interfaces and processes a specific unauthenticated GET request (`/SHUTDOWN%20THE%20SERVER`) to terminate the process immediately via `os._exit(0)`. This results in a denial of service, impacting service availability. The issue arises due to insufficient authentication and protection mechanisms for critical server functions.
Title Unauthenticated Denial of Service in nltk.app.wordnet_app
Weaknesses CWE-306
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nltk Nltk/nltk
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-06-17T14:21:08.627Z

Reserved: 2026-06-14T09:15:42.775Z

Link: CVE-2026-12199

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T09:00:06Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function