Skip to main content

directus-mcp CVE-2026-7729

| EUVDEUVD-2026-26883 LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-04 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
PoC Detected
May 04, 2026 - 15:18 vuln.today
Public exploit code
Severity Changed
May 04, 2026 - 05:22 NVD
MEDIUM LOW
CVSS changed
May 04, 2026 - 05:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 04, 2026 - 05:00 vuln.today
Analysis Generated
May 04, 2026 - 05:00 vuln.today
EUVD ID Assigned
May 04, 2026 - 04:30 euvd
EUVD-2026-26883
Analysis Generated
May 04, 2026 - 04:30 vuln.today
Patch released
May 04, 2026 - 04:30 nvd
Patch available
CVE Published
May 04, 2026 - 03:45 nvd
LOW 2.1

DescriptionCVE.org

A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.

AnalysisAI

Server-side request forgery (SSRF) in pixelsock directus-mcp 1.0.0 allows authenticated remote attackers to manipulate the fileUrl argument in the validateUrl function, enabling requests to internal resources including cloud metadata services and private networks. Publicly available exploit code exists and a patch awaiting acceptance is available on GitHub. CVSS 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects moderate impact with authentication requirement.

Technical ContextAI

The vulnerability resides in the MCP Interface component's index.ts file, specifically in the validateUrl function that processes user-supplied fileUrl parameters without proper validation. The root cause is CWE-918 (Server-Side Request Forgery), where URL validation is insufficiently restrictive. The affected product is pixelsock directus-mcp (CPE: cpe:2.3:a:pixelsock:directus-mcp:*:*:*:*:*:*:*:*), a Model Context Protocol (MCP) implementation for Directus. The original code accepts URLs without checking whether the resolved hostname maps to forbidden address ranges such as private networks (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12), loopback (127.0.0.0/8), link-local addresses (169.254.0.0/16 including cloud metadata endpoints like 169.254.169.254), or IPv6 equivalents. The patch introduces comprehensive SSRF prevention via DNS resolution validation, IP address parsing, and blocklisting of forbidden ranges including RFC 1918 private space, loopback, link-local, multicast, and cloud metadata addresses.

RemediationAI

Apply the patch from GitHub PR #14 (https://github.com/pixelsock/directus-mcp/pull/14), which replaces the insufficient validateUrl function with comprehensive SSRF protection including DNS resolution, IP validation, and blocklisting of private, loopback, link-local, multicast, and cloud metadata address ranges. If the PR has not yet been merged into a released version at the time of assessment, either apply the patch commits directly to your codebase or wait for the maintainers to merge and release a patched version. As an interim compensating control pending patch deployment, restrict network access from the directus-mcp process to only external, non-private networks via network policy (e.g., firewall rules, container security policies blocking 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8, 169.254.0.0/16); however, this control is not foolproof if the MCP service has legitimate reasons to contact internal APIs. Alternatively, disable or restrict access to the fileUrl feature if not essential to your use case, reducing the attack surface. Monitor access logs for unexpected internal resource requests or DNS lookups to private address ranges.

Share

CVE-2026-7729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy