Skip to main content

utcp-http CVE-2026-44661

| EUVDEUVD-2026-30479 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-07 https://github.com/universal-tool-calling-protocol/python-utcp GHSA-39j6-4867-gg4w
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 23:15 vuln.today
Analysis Generated
May 07, 2026 - 23:15 vuln.today
CVE Published
May 07, 2026 - 22:32 nvd
MEDIUM 4.7

DescriptionGitHub Advisory

Summary

The utcp-http plugin is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. register_manual() validates the discovery URL against an HTTPS / loopback allowlist, but call_tool() and call_tool_streaming() reuse the resolved tool_call_template.url directly without revalidating. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare servers: [{ url: "http://169.254.169.254" }] (or any internal address) in the spec; the OpenAPI converter blindly trusts that value and the tool becomes a blind SSRF primitive that exposes cloud metadata, internal services, and other firewalled-only endpoints to the LLM caller.

All three HTTP-class protocols (utcp_http.http, utcp_http.streamable_http, utcp_http.sse) shared the same gap, plus a separate prefix-bypass: the previous startswith("http://localhost") check let URLs like http://localhost.evil.com through.

Impact

A remote attacker who can convince the agent (via the LLM context, prompt injection, or a tool-discovery surface) to register their HTTPS OpenAPI URL can:

  • Map internal networks behind the agent.
  • Read AWS/GCP IAM credentials from cloud metadata endpoints (http://169.254.169.254, http://metadata.google.internal).
  • Reach unauthenticated internal services (Elasticsearch, Redis HTTP, internal admin panels).
  • Have responses returned to the LLM, which combined with prompt injection enables exfiltration back to the attacker.

Affected versions

utcp-http <= 1.1.1.

Patched versions

utcp-http 1.1.2.

Patch

Commit: 5b16e43 on dev.

  • New utcp_http._security helper: ensure_secure_url(url, context=...) parses the URL with urllib.parse.urlparse and validates the hostname (not a string prefix) against the loopback set, closing the localhost.evil.com bypass.
  • All three protocols call ensure_secure_url(url, context="manual discovery") in register_manual (replacing the duplicated prefix check) and ensure_secure_url(url, context="tool invocation") immediately before each aiohttp request in call_tool / call_tool_streaming. The runtime check is the actual SSRF fix.
  • New regression tests in test_security.py pin the accept/reject decisions and explicitly cover the historical bypass cases.

Workarounds

For users who cannot upgrade immediately:

  • Refuse to call register_manual with any URL controlled by an untrusted party, even over HTTPS.
  • Restrict outbound network access from the host running the agent so internal addresses (RFC1918, 169.254.0.0/16, loopback for cloud metadata) are unreachable.

Credit

Discovered and reported by @YLChen-007 in #83.

AnalysisAI

Server-Side Request Forgery in utcp-http allows remote attackers to access internal cloud metadata endpoints and firewalled services by hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint that declares internal server URLs, which are then blindly trusted during tool invocation without revalidation. The vulnerability affects utcp-http versions 1.1.1 and earlier, where call_tool() and call_tool_streaming() reuse previously resolved URLs from OpenAPI specs without re-checking security constraints, combined with a string-prefix bypass (localhost.evil.com bypassing startswith checks). This is a blind SSRF that exposes cloud metadata (AWS/GCP credentials from 169.254.169.254), internal services like Elasticsearch and Redis, and enables exfiltration via LLM responses when combined with prompt injection. No public exploit code or active exploitation is currently identified, but the vulnerability requires only network-level access and user interaction (convincing an LLM agent to register a malicious tool).

Technical ContextAI

The utcp-http plugin implements the Universal Tool Calling Protocol (UTCP) HTTP transport layer for LLM agent tool calling. It processes OpenAPI specifications (tool definitions) through an OpenAPI converter that extracts server URLs from the servers[0].url field in the specification. The vulnerability stems from a trust-boundary inconsistency: register_manual() validates discovery URLs against an HTTPS/loopback allowlist, but call_tool() and call_tool_streaming() in three HTTP-class protocols (utcp_http.http, utcp_http.streamable_http, utcp_http.sse) directly reuse the tool_call_template.url resolved from the OpenAPI spec without re-validating it against security constraints. Additionally, the previous hostname validation used startswith('http://localhost') string matching, which fails to properly validate hostnames and allows bypasses like http://localhost.evil.com. The root cause is classified as CWE-918 (Server-Side Request Forgery), where user-controlled server declarations in an externally hosted OpenAPI spec are treated as trusted after initial discovery validation, but not re-validated at invocation time. The fix introduces a dedicated ensure_secure_url(url, context) security helper using urllib.parse.urlparse for proper hostname validation and applies it at both registration and invocation time.

RemediationAI

Upgrade utcp-http to version 1.1.2 or later, which includes the new ensure_secure_url(url, context) security validation helper that properly parses hostnames using urllib.parse.urlparse and re-validates URLs at both registration and invocation time. The patch is available via pip with pip install --upgrade utcp-http>=1.1.2 and is tracked in commit 5b16e43 on the dev branch of the upstream repository. For users unable to upgrade immediately, apply these workarounds: (1) Strictly refuse to call register_manual() with any OpenAPI URLs controlled by untrusted parties, even if served over HTTPS; verify OpenAPI specifications before registration. (2) Restrict outbound network access from the host running the agent so that internal address ranges (RFC1918 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, link-local 169.254.0.0/16, and localhost 127.0.0.1/32) are unreachable via firewall rules or host-level egress filtering-this prevents SSRF requests from reaching cloud metadata endpoints and internal services even if exploited. (3) Disable dynamic tool registration and maintain a static, pre-vetted allowlist of OpenAPI specifications. Note that these workarounds have trade-offs: network restriction may break legitimate use cases if the agent needs to call internal services, and static allowlists reduce flexibility. The patch is the recommended path forward.

More in Redis

View all
CVE-2026-48172 CRITICAL POC
10.0 May 21

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i

CVE-2025-49844 CRITICAL POC
9.9 Oct 03

UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.

CVE-2022-0543 CRITICAL POC
10.0 Feb 18

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific

CVE-2018-11218 CRITICAL POC
9.8 Jun 17

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,

CVE-2025-46817 HIGH POC
7.0 Oct 03

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user

CVE-2015-4335 CRITICAL POC
10.0 Jun 09

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

CVE-2016-8339 CRITICAL POC
9.8 Oct 28

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2021-31649 CRITICAL POC
9.8 Jun 24

In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab

CVE-2020-11981 CRITICAL POC
9.8 Jul 17

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2018-11219 CRITICAL POC
9.8 Jun 17

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4

CVE-2024-23998 CRITICAL POC
9.6 Jul 05

goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v

Share

CVE-2026-44661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy