CVE-2026-33231Missing Authentication for Critical Function in Nltk

CWE-306Missing Authentication for Critical Function8 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 94.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NltkDebian Nltk
Timeline
PublishedMar 20

Description

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple `GET /SHUTDOWN%20THE%20SERVER` request causes the process to terminate immediately via `os._exit(0)`, resulting in a denial of service. Commit bbaae83db

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDnltk/nltk3.9.3
PyPInltk/nltk3.9.3
debiandebian/nltk

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
CVE-2026-33231: NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Lang2026-03-20
OSV
Unauthenticated remote shutdown in nltk.app.wordnet_app2026-03-19
GHSA
Unauthenticated remote shutdown in nltk.app.wordnet_app2026-03-19

📋Vendor Advisories

2
Red Hat
nltk: NLTK: Denial of Service via unauthenticated remote shutdown2026-03-20
Debian
CVE-2026-33231: nltk - NLTK (Natural Language Toolkit) is a suite of open source Python modules, data s...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-33231 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-33231 — Nltk vulnerability | cvebase