GHSA-39j6-4867-gg4w: utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
Summary
The utcp-http plugin has a security flaw called SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests on their behalf) that lets attackers redirect the tool to access internal systems. An attacker can host a fake OpenAPI specification (a standard format describing API endpoints) on a legitimate HTTPS server, but include instructions to access internal addresses like cloud metadata servers. The plugin didn't properly validate these addresses before making requests, allowing attackers to expose sensitive data or internal services to the LLM.
Solution / Mitigation
Upgrade to utcp-http version 1.1.2. The patch adds a new security function called `ensure_secure_url()` that properly validates hostnames (not just string patterns) against a list of allowed addresses, and this validation is now performed both when manually registering tools and right before making requests. Users unable to upgrade should avoid calling `register_manual()` with any untrusted URLs and restrict outbound network access from the agent host to block access to internal addresses (RFC1918 private ranges, 169.254.0.0/16, and loopback addresses).
Vulnerability Details
EPSS: 0.0%
Yes
May 7, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-39j6-4867-gg4w
First tracked: May 7, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%