{"data":{"id":"47f2e472-75ce-4760-868a-039fbf59bf7a","title":"GHSA-39j6-4867-gg4w: utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol","summary":"The utcp-http plugin has a security flaw called SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests on their behalf) that lets attackers redirect the tool to access internal systems. An attacker can host a fake OpenAPI specification (a standard format describing API endpoints) on a legitimate HTTPS server, but include instructions to access internal addresses like cloud metadata servers. The plugin didn't properly validate these addresses before making requests, allowing attackers to expose sensitive data or internal services to the LLM.","solution":"Upgrade to utcp-http version 1.1.2. The patch adds a new security function called `ensure_secure_url()` that properly validates hostnames (not just string patterns) against a list of allowed addresses, and this validation is now performed both when manually registering tools and right before making requests. Users unable to upgrade should avoid calling `register_manual()` with any untrusted URLs and restrict outbound network access from the agent host to block access to internal addresses (RFC1918 private ranges, 169.254.0.0/16, and loopback addresses).","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-39j6-4867-gg4w","publishedAt":"2026-05-07T22:32:54.000Z","cveId":"CVE-2026-44661","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["prompt_injection","rag_poisoning"],"issueType":"vulnerability","affectedPackages":["utcp-http@<= 1.1.1 (fixed: 1.1.2)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["utcp-http","LangChain"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-07T22:32:54.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":["AML.T0020","AML.T0051","AML.T0051.001"]}}