CVE-2026-33693 - Vulnerability Details

- Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Description

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue.

Published: 2026-03-27

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated attacker can manipulate a remote domain used by Lemmy to resolve to the IP address 0.0.0.0. The v4_is_invalid() function in activitypub‑federation‑rust does not reject this unspecified address, bypassing previous SSRF protections. As a result, the server may issue HTTP requests to localhost services, exposing internal interfaces or metadata. This server‑side request forgery can lead to data disclosure, credential theft, or further lateral movement within the host.

Affected Systems

Systems running LemmyNet's Lemmy platform with the activitypub‑federation‑rust component prior to version 0.7.0‑beta.9 are affected. The vulnerability resides specifically in the authentication‑ignoring v4_is_invalid() routine. Instances of the older Lemmy build that expose user‑controlled federation URLs to the library are at risk.

Risk and Exploitability

CVSS score of 6.5 indicates a moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require control of a remote domain name resolved by the victim server. Once the SSRF bypass succeeds, the attacker can reach any localhost services, including administration interfaces and internal APIs, thereby expanding the attack surface. Administrators should consider this a low‑to‑moderate risk but treat it as urgent, given the ease of creating a malicious domain.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

LemmyNet

lemmy

affected

Version	Status	Constraints
`< 0.7.0-beta.9`	affected	—

No data.

Vendor Product Confidence Versions

Lemmynet

Lemmy

100%

Version	Status	Scheme	Platform
`[0,0.7.0-beta.9)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Lemmy version 0.7.0‑beta.9 or later, which removes 0.0.0.0 from the whitelist.
If an upgrade is delayed, block outbound traffic to 0.0.0.0 (and optionally 127.0.0.1) at the application or firewall level.
Monitor domain resolution logs for attempts to resolve 0.0.0.0 and set alerts for unexpected patterns.
Audit federation settings to restrict or whitelist only trusted domains where possible.

Generated by OpenCVE AI on March 27, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-q537-8fr5-cw35	Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599
https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35
https://github.com/advisories/GHSA-7723-35v7-qcxw

History

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lemmynet Lemmynet lemmy
Vendors & Products		Lemmynet Lemmynet lemmy

Fri, 27 Mar 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_invalid()` function in `activitypub-federation-rust` (`src/utils.rs`) does not check for `Ipv4Addr::UNSPECIFIED` (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server. Version 0.7.0-beta.9 patches the issue.
Title		Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()
Weaknesses		CWE-918
References		https://github.com/LemmyNet/activitypub-federation-rust/commit/4ae8532b17bc35755240b7f55d4a5b7665351599 https://github.com/LemmyNet/lemmy/security/advisories/GHSA-q537-8fr5-cw35 https://github.com/advisories/GHSA-7723-35v7-qcxw
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Lemmynet Lemmy

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T00:03:35.946Z

Updated: 2026-03-27T00:03:35.946Z

Reserved: 2026-03-23T16:34:59.932Z

Link: CVE-2026-33693

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-27T01:16:18.983

Modified: 2026-03-27T01:16:18.983

Link: CVE-2026-33693

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T09:22:38Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object