{"data":{"id":"0636a40d-d8cd-46b0-855d-06da0b6d999d","title":"GHSA-7p48-42j8-8846: Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Exposure)","summary":"Streamlit Open Source versions before 1.54.0 on Windows have an unauthenticated SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making unintended network requests) in how it handles file paths. An attacker can supply a malicious UNC path (a Windows network address like \\\\attacker-host\\share) that causes the Streamlit server to initiate SMB connections (the protocol Windows uses for file sharing) and leak NTLMv2 credential hashes (authentication proof) of the user running Streamlit, which could then be used in relay attacks or password cracking.","solution":"The vulnerability has been fixed in Streamlit Open Source version 1.54.0. It is recommended that all Streamlit deployments on Windows be upgraded immediately to version 1.54.0 or later.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-7p48-42j8-8846","publishedAt":"2026-03-25T21:20:52.000Z","cveId":"CVE-2026-33682","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["Streamlit@< 1.54.0 (fixed: 1.54.0)"],"affectedVendors":[],"affectedVendorsRaw":["Streamlit","Snowflake"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-03-25T21:20:52.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":["AML.T0010"]}}