Skip to main content

Docker CVE-2026-33060

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-18 https://github.com/ondata/ckan-mcp-server GHSA-3xm7-qw7j-qc8v
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 18, 2026 - 13:15 vuln.today
Patch released
Mar 18, 2026 - 13:15 nvd
Patch available
CVE Published
Mar 18, 2026 - 12:59 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Summary

The @aborruso/ckan-mcp-server MCP server provides tools including ckan_package_search and sparql_query that accept a base_url parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services.

Severity

Attack complexity is HIGH because exploitation requires prompt injection via malicious content (webpage, document) while the victim's AI assistant has this MCP server connected.

Proof of Concept

Tested inside Docker-in-Docker isolated environment with canary HTTP sidecar.

json
{"tool": "ckan_package_search", "arguments": {"base_url": "http://canary:8080/ssrf", "query": "test"}}

Result: Canary received 9 HTTP requests. The high request volume confirms no rate limiting or URL validation.

Root Cause

No URL validation on base_url parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The sparql_query and ckan_datastore_search_sql tools also accept arbitrary base URLs and expose injection surfaces.

Impact

Internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential SQL/SPARQL injection via unsanitized query parameters. Attack requires prompt injection to control the base_url parameter.

Recommended Fix

  1. Validate base_url against a configurable allowlist of permitted CKAN portals
  2. Block private IP ranges (RFC 1918, link-local)
  3. Block cloud metadata endpoints (169.254.169.254)
  4. Sanitize SQL input for datastore queries
  5. SPARQL endpoint allowlist

Credit

Discovered by Andrei Boldyrev of Munio Security Research using munio

AnalysisAI

The @aborruso/ckan-mcp-server MCP server contains a Server-Side Request Forgery (SSRF) vulnerability in its ckan_package_search, sparql_query, and ckan_datastore_search_sql tools, which accept an arbitrary base_url parameter without validation, allowing attackers to scan internal networks, exfiltrate cloud metadata credentials (including IAM tokens from 169.254.169.254), and potentially execute injection attacks. The vulnerability affects the npm package @aborruso/ckan-mcp-server (pkg:npm/@aborruso/ckan-mcp-server) and requires prompt injection to exploit, making attack complexity high; a proof-of-concept exists demonstrating 9 unthrottled HTTP requests to a canary endpoint, and patch availability exists from the vendor.

Technical ContextAI

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and stems from the absence of URL validation on the base_url parameter across multiple CKAN-related tools in the MCP server implementation. The affected package (pkg:npm/@aborruso/ckan-mcp-server) is a Model Context Protocol server designed to interface with CKAN data portals; however, it fails to enforce any allowlist, blocklist, or URL scheme restrictions on provided endpoints. The root cause is the direct use of user-supplied base_url values in HTTP requests without checking against RFC 1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), or cloud metadata service endpoints. The ckan_datastore_search_sql tool additionally suffers from unsanitized SQL injection surfaces, while the sparql_query tool similarly accepts injection-prone parameters.

RemediationAI

Upgrade @aborruso/ckan-mcp-server to the patched version released by the vendor (available via https://github.com/ondata/ckan-mcp-server/security/advisories/GHSA-3xm7-qw7j-qc8v). The patch implements URL validation including: (1) an allowlist of permitted CKAN portal endpoints, (2) blocking of RFC 1918 private IP ranges and link-local addresses, (3) blocking of cloud metadata endpoints (169.254.169.254), (4) sanitization of SQL input for datastore queries, and (5) SPARQL endpoint allowlist configuration. Until patching is possible, isolate deployments to networks without internet access, disable the ckan_package_search and sparql_query tools in MCP server configuration, or implement a network-level proxy that restricts outbound connections to explicitly whitelisted CKAN portals and blocks RFC 1918 and 169.254.0.0/16 ranges.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-33060 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy