AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-3xm7-qw7j-qc8v: SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks

mediumvulnerabilityLLM-Specific

security

Source: GitHub Advisory DatabaseMarch 18, 2026CVE-2026-33060

Summary

The @aborruso/ckan-mcp-server tool allows attackers to make HTTP requests to any address by controlling the `base_url` parameter, which has no validation or filtering. An attacker can use prompt injection (tricking the AI by hiding instructions in its input) to make the tool scan internal networks or steal cloud credentials, but exploitation requires the victim's AI assistant to have this server connected.

Solution / Mitigation

The source explicitly recommends: (1) Validate `base_url` against a configurable allowlist of permitted CKAN portals, (2) Block private IP ranges (RFC 1918, link-local addresses like 169.254.x.x), (3) Block cloud metadata endpoints (169.254.169.254), (4) Sanitize SQL input for datastore queries, and (5) Implement a SPARQL endpoint allowlist.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

March 18, 2026

Classification

Attack Type

Prompt Injection

Attack SophisticationModerate

Impact (CIA+S)

confidentialityintegrity

Taxonomy References

MITRE ATLAS (AI/ML Threat Technique)

AML.T0051

Affected Vendors

Affected Packages

@aborruso/ckan-mcp-server@< 0.4.85 (fixed: 0.4.85)

Related Issues

high

AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection

Similar attackEmbrace The Red

medium

CVE-2024-45989: Monica AI Assistant desktop application v2.3.0 is vulnerable to Exposure of Sensitive Information to an Unauthorized Act

First tracked: March 18, 2026 at 09:00 AM

Classified by LLM (prompt v3) · confidence: 85%