CVE-2026-33060

Description

## Summary The `@aborruso/ckan-mcp-server` MCP server provides tools including `ckan_package_search` and `sparql_query` that accept a `base_url` parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services. ## Severity Attack complexity is HIGH because exploitation requires prompt injection via malicious content (webpage, document) while the victim's AI assistant has this MCP server connected. ## Proof of Concept Tested inside Docker-in-Docker isolated environment with canary HTTP sidecar. ```json {"tool": "ckan_package_search", "arguments": {"base_url": "http://canary:8080/ssrf", "query": "test"}} ``` **Result**: Canary received **9 HTTP requests**. The high request volume confirms no rate limiting or URL validation. ## Root Cause No URL validation on `base_url` parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The `sparql_query` and `ckan_datastore_search_sql` tools also accept arbitrary base URLs and expose injection surfaces. ## Impact Internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential SQL/SPARQL injection via unsanitized query parameters. Attack requires prompt injection to control the `base_url` parameter. ## Recommended Fix 1. Validate `base_url` against a configurable allowlist of permitted CKAN portals 2. Block private IP ranges (RFC 1918, link-local) 3. Block cloud metadata endpoints (169.254.169.254) 4. Sanitize SQL input for datastore queries 5. SPARQL endpoint allowlist ## Credit Discovered by [Andrei Boldyrev](https://github.com/abcgco) of Munio Security Research using [munio](https://munio.dev)

Priority Score