CVE-2026-33231
Published: 20 March 2026
Summary
CVE-2026-33231 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Nltk Nltk. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires applying the patch from commit bbaae83db86a0f49e00f5b0db44a7254c268de9b to eliminate the unauthenticated shutdown endpoint in NLTK's WordNet Browser server.
Permitted actions without identification or authentication directly mitigates the missing authentication for the critical shutdown function exploited by the GET /SHUTDOWN%20THE%20SERVER request.
Denial-of-service protection limits the effects of the high-impact availability disruption caused by the unauthenticated remote process termination.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes unauthenticated remote exploitation of a public-facing HTTP server (WordNet Browser) via crafted GET request to trigger process termination (os._exit), mapping to initial access via public app exploit and endpoint DoS via application exploitation.
NVD Description
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet Browser HTTP…
more
server when it is started in its default mode. A simple `GET /SHUTDOWN%20THE%20SERVER` request causes the process to terminate immediately via `os._exit(0)`, resulting in a denial of service. Commit bbaae83db86a0f49e00f5b0db44a7254c268de9b patches the issue.
Deeper analysisAI
CVE-2026-33231 is a denial-of-service vulnerability in NLTK (Natural Language Toolkit), a suite of open-source Python modules, datasets, and tutorials for natural language processing research and development. It affects versions 3.9.3 and prior, specifically the `nltk.app.wordnet_app` component, which launches a local WordNet Browser HTTP server in its default mode. The server lacks authentication for a shutdown endpoint, allowing a simple `GET /SHUTDOWN%20THE%20SERVER` request to invoke `os._exit(0)` and immediately terminate the process. The vulnerability carries a CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-306 (Missing Authentication for Critical Function).
Any unauthenticated remote attacker with network access to the exposed HTTP server can exploit this issue with low complexity and no user interaction or privileges required. Exploitation triggers an instantaneous shutdown of the server process, resulting in a high-impact denial of service that disrupts availability without affecting confidentiality or integrity.
Mitigation is provided via commit bbaae83db86a0f49e00f5b0db44a7254c268de9b, which patches the issue in the NLTK repository (https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b). Further details are available in the GitHub security advisory (https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g). Practitioners should update NLTK installations and avoid exposing the WordNet Browser server to external networks.
Details
- CWE(s)