CKAN MCP Server CVE-2026-53509
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
PR:L reflects required MCP session; UI:N because attacker directly triggers the SSRF without needing a separate victim action; C:H for internal data exposure; I:N and A:N as no write or availability impact is described.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
A known vulnerability CVE-2026-33060 indicated tools including ckan_package_search and sparql_query that accept a base_url parameter had the risk of making HTTP requests to arbitrary endpoints without restriction. A fix was applied to filter out ip addresses. However, a method to bypass exists.
Details
CKAN MCP Server validates caller-supplied CKAN server URLs by inspecting only the parsed hostname string before issuing outbound HTTP requests. In src/utils/http.ts, hostname aliases such as ip6-localhost are not equal to localhost, are not dotted IPv4 literals, and are not bracketed IPv6 literals, so they pass the SSRF filter but can resolve to loopback when the server performs the request. A remote MCP caller that can invoke CKAN tools with a server_url can therefore make the server connect to local or private addresses and, for CKAN-shaped responses, receive response-derived data.
Fix
Replaced the single hostname === 'localhost' check with a blocked-hostname Set covering ip6-localhost and ip6-loopback. Patched in commit c761045a1b7c5f40d2626540dd2ef1d4feb91f8c.
--- @aborruso/ckan-mcp-server thanks hibrian827 for responsibly disclosing this issue.
AnalysisAI
SSRF filter bypass in CKAN MCP Server (@aborruso/ckan-mcp-server) allows a low-privileged remote MCP caller to reach loopback and private network addresses by supplying hostname aliases such as 'ip6-localhost' as the server_url parameter to CKAN tools like ckan_package_search and sparql_query. The prior remediation for CVE-2026-33060 hardened only against dotted IPv4 literals, bracketed IPv6 literals, and the exact string 'localhost', leaving non-canonical loopback aliases unblocked in src/utils/http.ts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a low-privileged MCP session capable of invoking CKAN tools that accept a server_url or base_url parameter (e.g., ckan_package_search, sparql_query). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N) reflects network-reachable exploitation by a low-privileged caller with a high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a valid MCP session invokes the ckan_package_search tool and supplies 'http://ip6-localhost:8080/api/3/action/' as the server_url parameter. The SSRF filter in src/utils/http.ts passes 'ip6-localhost' because it matches none of the blocked patterns, and the server issues an outbound HTTP request to the loopback address, potentially returning data from an internal service co-located on the host. … |
| Remediation | Upgrade to @aborruso/ckan-mcp-server v0.4.106 or later, which includes the fix introduced in commit c761045a1b7c5f40d2626540dd2ef1d4feb91f8c. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-g84h-j7jj-x32p