{"data":{"id":"737c3775-3a24-4a6c-8d53-f49e7658f823","title":"GHSA-3xm7-qw7j-qc8v: SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks","summary":"The @aborruso/ckan-mcp-server tool allows attackers to make HTTP requests to any address by controlling the `base_url` parameter, which has no validation or filtering. An attacker can use prompt injection (tricking the AI by hiding instructions in its input) to make the tool scan internal networks or steal cloud credentials, but exploitation requires the victim's AI assistant to have this server connected.","solution":"The source explicitly recommends: (1) Validate `base_url` against a configurable allowlist of permitted CKAN portals, (2) Block private IP ranges (RFC 1918, link-local addresses like 169.254.x.x), (3) Block cloud metadata endpoints (169.254.169.254), (4) Sanitize SQL input for datastore queries, and (5) Implement a SPARQL endpoint allowlist.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-3xm7-qw7j-qc8v","publishedAt":"2026-03-18T12:59:42.000Z","cveId":"CVE-2026-33060","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":["@aborruso/ckan-mcp-server@< 0.4.85 (fixed: 0.4.85)"],"affectedVendors":[],"affectedVendorsRaw":["@aborruso/ckan-mcp-server"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-03-18T12:59:42.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0051"]}}