CVE-2026-40072

Exploit

EPSS 0.23%
Veröffentlicht 09.04.2026 18:17:03
Zuletzt bearbeitet 02.06.2026 16:48:38
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

web3.py affected by SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling

web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read / OffchainLookup (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in offchain_lookup_payload["urls"]. The implementation uses these contract-supplied URLs directly (after {sender} / {data} template substitution) without any destination validation. CCIP Read is enabled by default (global_ccip_read_enabled = True on all providers), meaning any application using web3.py's .call() method is exposed without explicit opt-in. This results in Server-Side Request Forgery (SSRF) when web3.py is used in backend services, indexers, APIs, or any environment that performs eth_call / .call() against untrusted or user-supplied contract addresses. A malicious contract can force the web3.py process to issue HTTP requests to arbitrary destinations, including internal network services and cloud metadata endpoints. This vulnerability is fixed in 7.15.0 and 8.0.0b2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 12 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apeworx ≫ Web3.Py SwPlatformpython Version >= 6.1.0 < 7.15.0

Apeworx ≫ Web3.Py Version6.0.0 Update- SwPlatformpython

Apeworx ≫ Web3.Py Version6.0.0 Updatebeta10 SwPlatformpython

Apeworx ≫ Web3.Py Version6.0.0 Updatebeta11 SwPlatformpython

Apeworx ≫ Web3.Py Version6.0.0 Updatebeta3 SwPlatformpython

Apeworx ≫ Web3.Py Version6.0.0 Updatebeta4 SwPlatformpython

Apeworx ≫ Web3.Py Version6.0.0 Updatebeta5 SwPlatformpython

Apeworx ≫ Web3.Py Version6.0.0 Updatebeta6 SwPlatformpython

Apeworx ≫ Web3.Py Version6.0.0 Updatebeta7 SwPlatformpython

Apeworx ≫ Web3.Py Version6.0.0 Updatebeta8 SwPlatformpython

Apeworx ≫ Web3.Py Version6.0.0 Updatebeta9 SwPlatformpython

Apeworx ≫ Web3.Py Version8.0.0 Updatebeta1 SwPlatformpython

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.133

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	3.9	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
security-advisories@github.com	1.7	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/ethereum/web3.py/commit/b1c57bb0a124359c9902daaefab4d8af7c3c4c1e

Patch

https://github.com/ethereum/web3.py/security/advisories/GHSA-5hr4-253g-cpx2

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-40072

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40072

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40072

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40072