What is CVE-2026-33693?

CVE-2026-33693 is a medium severity vulnerability (Server-Side Request Forgery (CWE-918)) affecting activitypub-federation-rust. It was discovered by security researcher Kai Aizen (SnailSploit).

How severe is CVE-2026-33693?

CVE-2026-33693 is rated as Medium severity with a CVSS score of 6.5. Users should update to the patched version when available.

What software is affected by CVE-2026-33693?

CVE-2026-33693 affects activitypub-federation-rust in versions <= 0.7.1.

How do I fix CVE-2026-33693?

Check the official NVD entry or vendor advisory for CVE-2026-33693 for the latest patching information. Monitor for updates from the plugin developer.

CVE-2026-33693 | SSRF via Incomplete IP Validation in activitypub-federation-rust

Q: How do I fix CVE-2026-33693?

Check the official NVD entry or vendor advisory for CVE-2026-33693 for the latest patching information. Monitor for updates from the plugin developer.

Description

An SSRF bypass vulnerability was discovered in activitypub-federation-rust, the core federation library used by Lemmy (13,700+ stars) and six other Fediverse projects.

The v4_is_invalid() function performs IP validation to prevent SSRF attacks but fails to call is_unspecified(), allowing attackers to bypass protections by targeting 0.0.0.0. On most systems, 0.0.0.0 resolves to localhost, granting access equivalent to 127.0.0.1.

Technical Details

Root Cause

The IP validation function checks for private, loopback, link-local, broadcast, and documentation addresses — but omits the is_unspecified() check. The address 0.0.0.0 is the "unspecified" IPv4 address and is not caught by any of the existing validation checks.

Attack Vector

An attacker hosts a malicious ActivityPub object with a URL pointing to http://0.0.0.0:<port>/path. When a federated server fetches this object, the validation passes because is_unspecified() is never invoked, and the request proceeds to internal services on the target server.

Downstream Impact

Six or more Fediverse projects depend on this library, including Lemmy — one of the largest federated link aggregation platforms. Any instance running a vulnerable version is exposed to SSRF attacks from remote ActivityPub actors.

Vulnerability Characteristics

Attack Vector: Network — remote ActivityPub federation
Attack Complexity: Low
Privileges Required: None — any federated actor
User Interaction: None
Scope: Unchanged

Impact Assessment

Confidentiality: Low — access to internal services and potential credential exposure
Integrity: Low — possible interaction with internal APIs
Availability: None

Attackers can access internal services, scan internal ports, and potentially exfiltrate cloud metadata credentials (e.g., AWS IMDSv1 at 169.254.169.254 — though this specific address is separately blocked, 0.0.0.0 provides localhost access).

Disclosure Timeline

2026-03-11: Vulnerability reported via GitHub Private Vulnerability Reporting
2026-03-13: Maintainer confirmed the vulnerability
2026-03-23: CVE-2026-33693 assigned

Remediation

A fix has been submitted via PR #162. Update to the patched version when released. Instance operators should monitor the activitypub-federation-rust repository for the security release.