How is CVE-2026-12199 exploited?

Network reachability (required): The attacker must reach the WordNet Browser HTTP server over the network; the server listens on all interfaces by default, making it reachable from any host with a network path to the machine. Authentication (not-required): No credentials or session token of any kind are required; the shutdown endpoint accepts unauthenticated GET requests from any client. Victim interaction (not-required): No user action is needed; the attacker sends the GET request directly to the server and the process exits immediately without any victim involvement. Attack complexity (info): Attack complexity is low; the exploit is a single well-defined HTTP request with no race conditions, memory-layout dependencies, or environmental prerequisites.

What is the impact of CVE-2026-12199?

Crashes the WordNet Browser HTTP server process immediately via os._exit(0), with no graceful shutdown or cleanup. Terminates all in-flight requests to the server, dropping any work that was being processed at the time of the attack. Renders the WordNet Browser service completely unavailable until the process is manually restarted.

Back to search

HIGHCVE-2026-12199Published 2026-06-17Modified 2026-06-17CNA @huntr_ai

CVE-2026-12199: Unauthenticated Denial of Service in nltk.app.wordnet_app

A vulnerability in `nltk.app.wordnet_app` up to version 3.9.3 allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when started in its default mode. The server listens on all interfaces and processes a specific unauthenticated GET request (`/SHUTDOWN%20THE%20SERVER`) to terminate the process immediately via `os._exit(0)`. This results in a denial of service, impacting service availability. The issue arises due to insufficient authentication and protection mechanisms for critical server functions.

CVSS v3.0: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an unauthenticated denial-of-service vulnerability in the nltk library's WordNet Browser HTTP server (nltk.app.wordnet_app), affecting all versions up to and including 3.9.3. An attacker with network access to the server can send a single unauthenticated GET request to the path /SHUTDOWN%20THE%20SERVER, which triggers an immediate process exit via os._exit(0) with no authentication check. Successful exploitation terminates the server process instantly, causing a full loss of service availability. HarborGuard is tracking the upstream advisory for patch availability and will make a patched-image rebuild available as soon as a fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the nltk package. Any image containing an affected version of nltk is flagged automatically during both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.0 score of 7.5 (HIGH) and weights it against each environment's compliance policy to prioritize routing. Triage alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordNet Browser HTTP server over the network; the server listens on all interfaces by default, making it reachable from any host with a network path to the machine.
AuthenticationNot required
No credentials or session token of any kind are required; the shutdown endpoint accepts unauthenticated GET requests from any client.
Victim interactionNot required
No user action is needed; the attacker sends the GET request directly to the server and the process exits immediately without any victim involvement.
Attack complexityDetail
Attack complexity is low; the exploit is a single well-defined HTTP request with no race conditions, memory-layout dependencies, or environmental prerequisites.

Blast Radius

Crashes the WordNet Browser HTTP server process immediately via os._exit(0), with no graceful shutdown or cleanup.
Terminates all in-flight requests to the server, dropping any work that was being processed at the time of the attack.
Renders the WordNet Browser service completely unavailable until the process is manually restarted.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version has been published for this CVE, HarborGuard continuously re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment nltk ships a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's network-policy tooling: isolating containers that run nltk.app.wordnet_app behind a network policy that restricts inbound HTTP access to trusted source IPs, or blocking the /SHUTDOWN path via an ingress rule, reduces the exploitable attack surface. For environments where the WordNet Browser is not a required runtime feature, disabling or removing the component from the container image is the most effective interim mitigation. Where compliance policy permits, auto-remediation will handle the rebuild, regression test run, and PR against affected workloads as soon as an upstream fix is available.

See how HarborGuard automates this

Affected packages

nltk / nltk/nltk
≤ latest

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

huntr.com

Metrics

Get notified