Docker
CVE-2026-33060
MEDIUM
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The @aborruso/ckan-mcp-server MCP server provides tools including ckan_package_search and sparql_query that accept a base_url parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services.
Severity
Attack complexity is HIGH because exploitation requires prompt injection via malicious content (webpage, document) while the victim's AI assistant has this MCP server connected.
Proof of Concept
Tested inside Docker-in-Docker isolated environment with canary HTTP sidecar.
{"tool": "ckan_package_search", "arguments": {"base_url": "http://canary:8080/ssrf", "query": "test"}}Result: Canary received 9 HTTP requests. The high request volume confirms no rate limiting or URL validation.
Root Cause
No URL validation on base_url parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The sparql_query and ckan_datastore_search_sql tools also accept arbitrary base URLs and expose injection surfaces.
Impact
Internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential SQL/SPARQL injection via unsanitized query parameters. Attack requires prompt injection to control the base_url parameter.
Recommended Fix
- Validate
base_urlagainst a configurable allowlist of permitted CKAN portals - Block private IP ranges (RFC 1918, link-local)
- Block cloud metadata endpoints (169.254.169.254)
- Sanitize SQL input for datastore queries
- SPARQL endpoint allowlist
Credit
Discovered by Andrei Boldyrev of Munio Security Research using munio
AnalysisAI
The @aborruso/ckan-mcp-server MCP server contains a Server-Side Request Forgery (SSRF) vulnerability in its ckan_package_search, sparql_query, and ckan_datastore_search_sql tools, which accept an arbitrary base_url parameter without validation, allowing attackers to scan internal networks, exfiltrate cloud metadata credentials (including IAM tokens from 169.254.169.254), and potentially execute injection attacks. The vulnerability affects the npm package @aborruso/ckan-mcp-server (pkg:npm/@aborruso/ckan-mcp-server) and requires prompt injection to exploit, making attack complexity high; a proof-of-concept exists demonstrating 9 unthrottled HTTP requests to a canary endpoint, and patch availability exists from the vendor.
Technical ContextAI
The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and stems from the absence of URL validation on the base_url parameter across multiple CKAN-related tools in the MCP server implementation. The affected package (pkg:npm/@aborruso/ckan-mcp-server) is a Model Context Protocol server designed to interface with CKAN data portals; however, it fails to enforce any allowlist, blocklist, or URL scheme restrictions on provided endpoints. The root cause is the direct use of user-supplied base_url values in HTTP requests without checking against RFC 1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), or cloud metadata service endpoints. The ckan_datastore_search_sql tool additionally suffers from unsanitized SQL injection surfaces, while the sparql_query tool similarly accepts injection-prone parameters.
RemediationAI
Upgrade @aborruso/ckan-mcp-server to the patched version released by the vendor (available via https://github.com/ondata/ckan-mcp-server/security/advisories/GHSA-3xm7-qw7j-qc8v). The patch implements URL validation including: (1) an allowlist of permitted CKAN portal endpoints, (2) blocking of RFC 1918 private IP ranges and link-local addresses, (3) blocking of cloud metadata endpoints (169.254.169.254), (4) sanitization of SQL input for datastore queries, and (5) SPARQL endpoint allowlist configuration. Until patching is possible, isolate deployments to networks without internet access, disable the ckan_package_search and sparql_query tools in MCP server configuration, or implement a network-level proxy that restricts outbound connections to explicitly whitelisted CKAN portals and blocks RFC 1918 and 169.254.0.0/16 ranges.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3xm7-qw7j-qc8v