PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58501 mvantellingen CVE debrief

CVE-2026-58501 is a vulnerability in the Zeep Python SOAP client. Versions from 4.0.0 before 4.3.3 define but do not enforce the Settings.forbid_external setting when parsing WSDL or XSD documents. This oversight allows for transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. The vulnerability has a CVSS score of 5.9 and is classified as MEDIUM severity. The issue is fixed in version 4.3.3. Users and administrators of affected versions should take immediate action to mitigate potential risks.

Vendor
mvantellingen
Product
python-zeep
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of Zeep SOAP client versions 4.0.0 through 4.3.2 should be aware of this vulnerability and take steps to mitigate it. This includes operators, administrators, and security teams responsible for maintaining and securing systems that utilize the Zeep SOAP client. Affected organizations should review their deployments, assess potential exposure, and implement recommended mitigations or patches.

Technical summary

The Zeep Python SOAP client vulnerability, CVE-2026-58501, arises from the improper enforcement of the Settings.forbid_external setting. This setting is intended to prevent the fetching of external resources when parsing WSDL or XSD documents. However, in versions 4.0.0 through 4.3.2, this setting is defined but not enforced, allowing an attacker to potentially fetch malicious content from attacker-controlled URLs. The vulnerability can be exploited through transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references. The issue has been fixed in version 4.3.3, which properly enforces the Settings.forbid_external setting.

Defensive priority

Medium

Recommended defensive actions

  • Update Zeep to version 4.3.3 or later
  • Review and restrict external resource access in WSDL and XSD documents
  • Monitor for suspicious activity related to SOAP client usage
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-08T20:16:55.323Z and was last modified on 2026-07-10T17:20:58.133Z. The NVD entry is currently Analyzed. The Zeep Python SOAP client vulnerability, CVE-2026-58501, arises from the improper enforcement of the Settings.forbid_external setting. This setting is intended to prevent the fetching of external resources when parsing WSDL or XSD documents. However, in versions 4.0.0 through 4.3.2, this setting is defined but not enforced, allowing an attacker to potentially fetch malicious content from attacker-controlled URLs. Evidence is limited to public CVE and NVD information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T20:16:55.323Z and has not been modified since then. The NVD entry is currently Analyzed.