Which versions of Api Lab Mcp are affected by CVE-2026-5832?

CVE-2026-5832 is a Server-Side Request Forgery (SSRF) vulnerability in atototo api-lab-mcp versions up to 0.2.1 that allows unauthenticated attackers to manipulate API parameters and force the server…

Is there a public PoC exploit available for CVE-2026-5832?

Yes, a public proof-of-concept exploit is available for CVE-2026-5832. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-5832?

Within 24 hours: Inventory all instances of atototo api-lab-mcp and identify which versions (up to 0.2.1) are deployed; immediately restrict network access to affected HTTP interfaces using firewall rules. Within 7 days: Isolate or air-gap affected instances pending patch availability; implement network segmentation to prevent the server from accessing sensitive internal resources (restrict outbound connections to only necessary external APIs). Within 30 days: Establish a vendor communication protocol with atototo maintainers to track patch release status; prepare upgrade plan for versions beyond 0.2.1 when available.

Api Lab Mcp CVE-2026-5832

Q: What is the CVSS score of CVE-2026-5832?

CVE-2026-5832 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-20831 MEDIUM

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-09 VulDB

SSRF Api Lab Mcp

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 09, 2026 - 02:16 vuln.today

Public exploit code

EUVD ID Assigned

Apr 09, 2026 - 02:15 euvd

EUVD-2026-20831

Analysis Generated

Apr 09, 2026 - 02:15 vuln.today

CVE Published

Apr 09, 2026 - 02:00 nvd

MEDIUM 6.9

DescriptionCVE.org

A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyze_api_spec/generate_test_scenarios/test_http_endpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Server-Side Request Forgery (SSRF) in atototo api-lab-mcp versions up to 0.2.1 allows unauthenticated remote attackers to manipulate source/url parameters in analyze_api_spec, generate_test_scenarios, and test_http_endpoint functions within the HTTP interface (http-server.ts). Exploitation permits unauthorized requests to internal or external resources, potentially exposing sensitive data, bypassing access controls, or conducting port scanning. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Network-accessible SSRF in unauthenticated HTTP interface with moderate severity (CVSS 7.3). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker sends crafted HTTP request to analyze_api_spec/generate_test_scenarios/test_http_endpoint with malicious source/url parameter pointing to internal service (e.g., localhost:8080, metadata endpoint). Server processes request, leaking internal data or enabling lateral movement. …
Remediation	No vendor-released patch identified at time of analysis despite early disclosure via GitHub issue #4 (https://github.com/atototo/api-lab-mcp/issues/4). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all instances of atototo api-lab-mcp and identify which versions (up to 0.2.1) are deployed; immediately restrict network access to affected HTTP interfaces using firewall rules. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5832 vulnerability details – vuln.today

Back