PatchSiren cyber security CVE debrief
CVE-2026-58501 mvantellingen CVE debrief
CVE-2026-58501 is a vulnerability in the Zeep Python SOAP client. Versions from 4.0.0 before 4.3.3 define but do not enforce the Settings.forbid_external setting when parsing WSDL or XSD documents. This oversight allows for transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. The vulnerability has a CVSS score of 5.9 and is classified as MEDIUM severity. The issue is fixed in version 4.3.3. Users and administrators of affected versions should take immediate action to mitigate potential risks.
- Vendor
- mvantellingen
- Product
- python-zeep
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Users of Zeep SOAP client versions 4.0.0 through 4.3.2 should be aware of this vulnerability and take steps to mitigate it. This includes operators, administrators, and security teams responsible for maintaining and securing systems that utilize the Zeep SOAP client. Affected organizations should review their deployments, assess potential exposure, and implement recommended mitigations or patches.
Technical summary
The Zeep Python SOAP client vulnerability, CVE-2026-58501, arises from the improper enforcement of the Settings.forbid_external setting. This setting is intended to prevent the fetching of external resources when parsing WSDL or XSD documents. However, in versions 4.0.0 through 4.3.2, this setting is defined but not enforced, allowing an attacker to potentially fetch malicious content from attacker-controlled URLs. The vulnerability can be exploited through transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references. The issue has been fixed in version 4.3.3, which properly enforces the Settings.forbid_external setting.
Defensive priority
Medium
Recommended defensive actions
- Update Zeep to version 4.3.3 or later
- Review and restrict external resource access in WSDL and XSD documents
- Monitor for suspicious activity related to SOAP client usage
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-08T20:16:55.323Z and was last modified on 2026-07-10T17:20:58.133Z. The NVD entry is currently Analyzed. The Zeep Python SOAP client vulnerability, CVE-2026-58501, arises from the improper enforcement of the Settings.forbid_external setting. This setting is intended to prevent the fetching of external resources when parsing WSDL or XSD documents. However, in versions 4.0.0 through 4.3.2, this setting is defined but not enforced, allowing an attacker to potentially fetch malicious content from attacker-controlled URLs. Evidence is limited to public CVE and NVD information.
Official resources
-
CVE-2026-58501 CVE record
CVE.org
-
CVE-2026-58501 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Mitigation, Patch, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T20:16:55.323Z and has not been modified since then. The NVD entry is currently Analyzed.