Skip to main content

CKAN MCP Server CVE-2026-53509

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-07 https://github.com/ondata/ckan-mcp-server GHSA-g84h-j7jj-x32p
5.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

PR:L reflects required MCP session; UI:N because attacker directly triggers the SSRF without needing a separate victim action; C:H for internal data exposure; I:N and A:N as no write or availability impact is described.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 20:21 vuln.today

DescriptionGitHub Advisory

Summary

A known vulnerability CVE-2026-33060 indicated tools including ckan_package_search and sparql_query that accept a base_url parameter had the risk of making HTTP requests to arbitrary endpoints without restriction. A fix was applied to filter out ip addresses. However, a method to bypass exists.

Details

CKAN MCP Server validates caller-supplied CKAN server URLs by inspecting only the parsed hostname string before issuing outbound HTTP requests. In src/utils/http.ts, hostname aliases such as ip6-localhost are not equal to localhost, are not dotted IPv4 literals, and are not bracketed IPv6 literals, so they pass the SSRF filter but can resolve to loopback when the server performs the request. A remote MCP caller that can invoke CKAN tools with a server_url can therefore make the server connect to local or private addresses and, for CKAN-shaped responses, receive response-derived data.

Fix

Replaced the single hostname === 'localhost' check with a blocked-hostname Set covering ip6-localhost and ip6-loopback. Patched in commit c761045a1b7c5f40d2626540dd2ef1d4feb91f8c.

--- @aborruso/ckan-mcp-server thanks hibrian827 for responsibly disclosing this issue.

AnalysisAI

SSRF filter bypass in CKAN MCP Server (@aborruso/ckan-mcp-server) allows a low-privileged remote MCP caller to reach loopback and private network addresses by supplying hostname aliases such as 'ip6-localhost' as the server_url parameter to CKAN tools like ckan_package_search and sparql_query. The prior remediation for CVE-2026-33060 hardened only against dotted IPv4 literals, bracketed IPv6 literals, and the exact string 'localhost', leaving non-canonical loopback aliases unblocked in src/utils/http.ts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Establish low-privileged MCP session
Delivery
Invoke CKAN tool with ip6-localhost server_url
Exploit
Bypass incomplete SSRF hostname denylist
Execution
Server issues HTTP GET to loopback address
Impact
Receive internal service response data via CKAN tool output

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a low-privileged MCP session capable of invoking CKAN tools that accept a server_url or base_url parameter (e.g., ckan_package_search, sparql_query). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N) reflects network-reachable exploitation by a low-privileged caller with a high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid MCP session invokes the ckan_package_search tool and supplies 'http://ip6-localhost:8080/api/3/action/' as the server_url parameter. The SSRF filter in src/utils/http.ts passes 'ip6-localhost' because it matches none of the blocked patterns, and the server issues an outbound HTTP request to the loopback address, potentially returning data from an internal service co-located on the host. …
Remediation Upgrade to @aborruso/ckan-mcp-server v0.4.106 or later, which includes the fix introduced in commit c761045a1b7c5f40d2626540dd2ef1d4feb91f8c. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53509 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy