Skip to main content

Apache CVE-2026-34476

| EUVDEUVD-2026-21918 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-13 apache GHSA-c4hg-6933-x62x
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 20, 2026 - 16:52 vuln.today
cvss_changed
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 13, 2026 - 15:39 vuln.today
CVSS changed
Apr 13, 2026 - 15:22 NVD
7.1 (None) 7.1 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 13:15 euvd
EUVD-2026-21918
Analysis Generated
Apr 13, 2026 - 13:15 vuln.today
CVE Published
Apr 13, 2026 - 13:01 nvd
HIGH 7.1

DescriptionCVE.org

Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP.

This issue affects Apache SkyWalking MCP: 0.1.0.

Users are recommended to upgrade to version 0.2.0, which fixes this issue.

AnalysisAI

Server-Side Request Forgery in Apache SkyWalking MCP 0.1.0 allows authenticated remote attackers to access internal network resources and exfiltrate sensitive data via a malicious SW-URL header. CVSS 7.1 (High severity) with network attack vector and low complexity. No public exploit identified at time of analysis, SSVC framework indicates no active exploitation and non-automatable attack requiring manual interaction with internal architecture knowledge.

Technical ContextAI

Apache SkyWalking MCP (Management and Control Plane) is a distributed tracing and observability platform component for monitoring microservices architectures. This vulnerability stems from CWE-918 (Server-Side Request Forgery), where the application accepts and processes a user-controlled SW-URL header without proper validation or sanitization. The affected component (CPE: cpe:2.3:a:apache_software_foundation:apache_skywalking_mcp) fails to restrict outbound requests initiated by the server, allowing attackers to specify arbitrary URLs that the server will fetch on their behalf. The CVSS vector PR:L indicates low-privileged authentication is required, meaning the attacker must have valid credentials to the MCP instance. The SSRF can bypass network segmentation controls, as the server's trusted network position allows it to reach internal resources typically blocked from external access. The S:U (unchanged scope) indicates the vulnerability is confined to the vulnerable component's security context.

RemediationAI

Upgrade Apache SkyWalking MCP to version 0.2.0 immediately, which contains the complete fix for the SW-URL header SSRF vulnerability. The Apache Security Team advisory is available at https://lists.apache.org/thread/v0k1xyzzbtnpyrwxwyn36pbspr8rhjnr with detailed upgrade instructions. If immediate upgrade is not feasible, implement network-level controls to restrict MCP server outbound connections to only necessary endpoints, deploy web application firewall rules to inspect and block suspicious SW-URL header values, enforce strict authentication and minimize privileged account access to MCP interfaces, and monitor server-side request logs for unusual internal network scanning patterns. Review access logs for version 0.1.0 deployments to identify potential historical exploitation attempts targeting internal resources or cloud metadata endpoints.

Share

CVE-2026-34476 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy