Skip to main content

DesktopCommanderMCP CVE-2026-10690

| EUVDEUVD-2026-34053 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-03 cna@vuldb.com GHSA-5xx3-j724-wmx5
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 03, 2026 - 00:27 vuln.today
Analysis Generated
Jun 03, 2026 - 00:27 vuln.today

DescriptionCVE.org

A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component read_file. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The name of the patch is 53699bebba9950047bca16ac4dc8f0568f596aaa. It is best practice to apply a patch to resolve this issue.

AnalysisAI

Server-Side Request Forgery in wonderwhy-er DesktopCommanderMCP 0.2.37 allows low-privileged remote MCP clients to coerce the server into fetching arbitrary internal URLs via the url argument of the readFileFromUrl function in src/tools/filesystem.ts. The unpatched server performs no origin validation and follows HTTP redirects automatically, enabling attackers to reach RFC 1918 private networks and cloud instance metadata services (AWS/GCP/Azure at 169.254.169.254) from the server's network context. Publicly available exploit code exists (CVSS 4.0 E:P), though no CISA KEV listing is present at time of analysis.

Technical ContextAI

DesktopCommanderMCP is a Model Context Protocol (MCP) server that extends AI assistants such as Claude with filesystem and shell capabilities, implemented in TypeScript. The read_file component exposes readFileFromUrl in src/tools/filesystem.ts, which calls the Node.js fetch API with an attacker-controlled url string and, in the unpatched version, follows redirects by default (redirect: 'follow'). CWE-918 (Server-Side Request Forgery) describes the root cause: user-supplied URL input reaches a network fetch primitive without destination validation, allowing the server to act as an unauthenticated proxy to internal resources. The commit diff confirms the full attack surface - any scheme (file://, ftp://), any IP range including 127.x, 10.x, 172.16-31.x, 192.168.x, 169.254.x.x, and internal hostnames such as localhost or host.docker.internal - was accepted prior to the fix. The redirect-follow behavior additionally enabled open-redirect-to-SSRF chains: supply a public URL that redirects to an internal endpoint.

RemediationAI

Apply the upstream fix via commit 53699bebba9950047bca16ac4dc8f0568f596aaa, which introduces a validateFetchUrl() guard that rejects non-HTTP(S) schemes, private IPv4 ranges (10.x, 172.16-31.x, 192.168.x), loopback (127.x), link-local ranges including cloud metadata endpoints (169.254.x.x), IPv6 loopback (::1), and known internal hostnames (localhost, host.docker.internal, metadata.google.internal, metadata.goog, *.local). The patch also sets redirect: 'error' to block open-redirect-to-SSRF chains. Important caveat: the confirmed fix commit appears in the fork sorlen008/DesktopCommanderMCP, not the canonical wonderwhy-er/DesktopCommanderMCP repository - whether this fix has been merged upstream and released as a tagged version is not confirmed by available data; verify against https://github.com/wonderwhy-er/DesktopCommanderMCP before treating a specific release as patched. As a compensating control, enforce network egress filtering at the host or container level to block outbound connections to RFC 1918 addresses and 169.254.0.0/16; this addresses the highest-impact exploitation path (cloud metadata theft) with no application-level side effects. Note that the patch itself explicitly states that DNS rebinding attacks are not blocked by the code-level fix and require a network-layer proxy or egress firewall.

Share

CVE-2026-10690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy