CVE-2026-33231: NLTK has unauthenticated remote shutdown in nltk.app.wordnet_app
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple `GET /SHUTDOWN%20THE%20SERVER` request causes the process to terminate immediately via `os._exit(0)`, resulting in a denial of service. Commit bbaae83db86a0f49e00f5b0db44a7254c268de9b patches the issue.
Security readout for executives and security teams
Plain-English summary
This issue lets anyone who can reach NLTK's local WordNet Browser web server shut it down without logging in. The business impact is availability loss, not data theft. It matters most where research, NLP tooling, or internal services expose that browser over a network.
Executive priority
Treat as high priority where NLTK WordNet Browser is network-accessible, because unauthenticated users can cause service interruption. Lower priority for systems that only use NLTK as a library and never start the browser.
Technical view
NLTK versions 3.9.3 and earlier include an unauthenticated shutdown path in nltk.app.wordnet_app. A network request to the default WordNet Browser HTTP server can immediately terminate the process through os._exit(0), causing denial of service. The supplied sources identify CWE-306 and a patch commit.
Likely exposure
Exposure is likely limited to environments running NLTK <= 3.9.3 and starting nltk.app.wordnet_app with the WordNet Browser reachable by untrusted users. Standard NLTK library use without that browser is not shown as exposed by the supplied sources.
Exploitation context
The CVSS vector is network-reachable, low complexity, no privileges, and no user interaction, with high availability impact. The provided data says KEV is false, and no supplied source establishes active exploitation in the wild.
Researcher notes
The supplied evidence supports denial of service only. It does not support confidentiality or integrity impact, broad NLTK runtime compromise, or confirmed exploitation. Fixed release details are not present in the bundle beyond the upstream patch commit and Red Hat advisories.
Mitigation direction
Upgrade NLTK to a version containing commit bbaae83db86a0f49e00f5b0db44a7254c268de9b.
Review NLTK and Red Hat advisories for exact fixed package versions.
Restrict WordNet Browser access to trusted local users only.
Stop exposed WordNet Browser instances until patched.
Monitor affected systems for unexpected WordNet Browser process termination.
Validation and detection
Inventory Python environments for NLTK versions <= 3.9.3.
Identify systems starting nltk.app.wordnet_app or the WordNet Browser.
Check whether the browser HTTP server is reachable beyond localhost.
Verify patched builds include the referenced upstream commit.
Review Red Hat errata applicability for managed platform packages.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-306: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-306 · source CWE mapping
Missing Authentication for Critical Function
Missing Authentication for Critical Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.