CVE-2026-40072

LOW EPSS 13.5%
Published Apr 9, 20262mo ago · Modified Jun 17, 20262w ago
1.7 CVSS 4.0
Low
Find Similar
Published Apr 9, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read / OffchainLookup (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in offchain_lookup_payload["urls"]. The implementation uses these contract-supplied URLs directly (after {sender} / {data} template substitution) without any destination validation. CCIP Read is enabled by default (global_ccip_read_enabled = True on all providers), meaning any application using web3.py's .call() method is exposed without explicit opt-in. This results in Server-Side Request Forgery (SSRF) when web3.py is used in backend services, indexers, APIs, or any environment that performs eth_call / .call() against untrusted or user-supplied contract addresses. A malicious contract can force the web3.py process to issue HTTP requests to arbitrary destinations, including internal network services and cloud metadata endpoints. This vulnerability is fixed in 7.15.0 and 8.0.0b2.

CVSS Details

Base Score
1.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
13.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 12

VendorProductVersionRange
apeworxweb3.py*≥6.1.0  –  <7.15.0
apeworxweb3.py6.0.0any
apeworxweb3.py6.0.0any
apeworxweb3.py6.0.0any
apeworxweb3.py6.0.0any
apeworxweb3.py6.0.0any
apeworxweb3.py6.0.0any
apeworxweb3.py6.0.0any
apeworxweb3.py6.0.0any
apeworxweb3.py6.0.0any
apeworxweb3.py6.0.0any
apeworxweb3.py8.0.0any

References 2

  • github.com https://github.com/ethereum/web3.py/commit/b1c57bb0a124359c9902daaefab4d8af7c3c4c1e
    Patch
  • github.com https://github.com/ethereum/web3.py/security/advisories/GHSA-5hr4-253g-cpx2
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/ethereum/web3.py/commit/b1c57bb0a124359c9902daaefab4d8af7c3c4c1e
    Patch