CVE-2026-40072 | Ethereum web3.py up to 7.14.x/8.0.0b1 Backend Service eth_call/call offchain_lookup_payload["urls"] server-side request forgery
VulDBArchived Apr 09, 2026✓ Full text saved
A vulnerability categorized as critical has been discovered in Ethereum web3.py up to 7.14.x/8.0.0b1 . This affects the function eth_call/call of the component Backend Service . Executing a manipulation of the argument offchain_lookup_payload["urls"] can lead to server-side request forgery. The identification of this vulnerability is CVE-2026-40072 . The attack may be launched remotely. There is no exploit available. It is advisable to upgrade the affected component.
Full text archived locally
✦ AI Summary· Claude Sonnet
VDB-356645 · CVE-2026-40072 · GCVE-0-2026-40072
ETHEREUM WEB3.PY UP TO 7.14.X/8.0.0B1 BACKEND SERVICE ETH_CALL/CALL OFFCHAIN_LOOKUP_PAYLOAD["URLS"] SERVER-SIDE REQUEST FORGERY
HISTORYDIFFRELATEJSONXMLCTI
CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score
7.0 $0-$5k 1.40+
Summaryinfo
A vulnerability identified as critical has been detected in Ethereum web3.py up to 7.14.x/8.0.0b1. This vulnerability affects the function eth_call/call of the component Backend Service. The manipulation of the argument offchain_lookup_payload["urls"] leads to server-side request forgery. This vulnerability is referenced as CVE-2026-40072. Remote exploitation of the attack is possible. No exploit is available. You should upgrade the affected component.
Detailsinfo
A vulnerability, which was classified as critical, has been found in Ethereum web3.py up to 7.14.x/8.0.0b1. This issue affects the function eth_call/call of the component Backend Service. The manipulation of the argument offchain_lookup_payload["urls"] with an unknown input leads to a server-side request forgery vulnerability. Using CWE to declare the problem leads to CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read / OffchainLookup (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in offchain_lookup_payload["urls"]. The implementation uses these contract-supplied URLs directly (after {sender} / {data} template substitution) without any destination validation. CCIP Read is enabled by default (global_ccip_read_enabled = True on all providers), meaning any application using web3.py's .call() method is exposed without explicit opt-in. This results in Server-Side Request Forgery (SSRF) when web3.py is used in backend services, indexers, APIs, or any environment that performs eth_call / .call() against untrusted or user-supplied contract addresses. A malicious contract can force the web3.py process to issue HTTP requests to arbitrary destinations, including internal network services and cloud metadata endpoints. This vulnerability is fixed in 7.15.0 and 8.0.0b2.
The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-40072 since 04/09/2026. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available.
Upgrading to version 7.15.0 or 8.0.0b2 eliminates this vulnerability.
Productinfo
Vendor
Ethereum
Name
web3.py
Version
7.0
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
7.10
7.11
7.12
7.13
7.14
8.0.0b1
Website
Product: https://github.com/ethereum/web3.py/
CPE 2.3info
🔒
🔒
🔒
CPE 2.2info
🔒
🔒
🔒
CVSSv4info
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA CVSS-B Score: 🔒
CNA CVSS-BT Score: 🔒
CNA Vector: 🔒
CVSSv3info
VulDB Meta Base Score: 7.3
VulDB Meta Temp Score: 7.0
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2info
Vector Complexity Authentication Confidentiality Integrity Availability
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploitinginfo
Class: Server-side request forgery
CWE: CWE-918
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day Unlock Unlock Unlock Unlock
Today Unlock Unlock Unlock Unlock
Threat Intelligenceinfo
Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍
Countermeasuresinfo
Recommended: Upgrade
Status: 🔍
0-Day Time: 🔒
Upgrade: web3.py 7.15.0/8.0.0b2
Timelineinfo
04/09/2026 Advisory disclosed
04/09/2026 +0 days CVE reserved
04/09/2026 +0 days VulDB entry created
04/09/2026 +0 days VulDB entry last update
Sourcesinfo
Product: github.com
Advisory: github.com
Status: Confirmed
CVE: CVE-2026-40072 (🔒)
GCVE (CVE): GCVE-0-2026-40072
GCVE (VulDB): GCVE-100-356645
Entryinfo
Created: 04/09/2026 20:01
Changes: 04/09/2026 20:01 (70)
Complete: 🔍
Cache ID: 99:F02:101
Discussion
No comments yet. Languages: en.
Please log in to comment.
◂ PreviousOverviewNext ▸