CVE-2026-33060

描述

## Summary The `@aborruso/ckan-mcp-server` MCP server provides tools including `ckan_package_search` and `sparql_query` that accept a `base_url` parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services. ## Severity Attack complexity is HIGH because exploitation requires prompt injection via malicious content (webpage, document) while the victim's AI assistant has this MCP server connected. ## Proof of Concept Tested inside Docker-in-Docker isolated environment with canary HTTP sidecar. ```json {"tool": "ckan_package_search", "arguments": {"base_url": "http://canary:8080/ssrf", "query": "test"}} ``` **Result**: Canary received **9 HTTP requests**. The high request volume confirms no rate limiting or URL validation. ## Root Cause No URL validation on `base_url` parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The `sparql_query` and `ckan_datastore_search_sql` tools also accept arbitrary base URLs and expose injection surfaces. ## Impact Internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential SQL/SPARQL injection via unsanitized query parameters. Attack requires prompt injection to control the `base_url` parameter. ## Recommended Fix 1. Validate `base_url` against a configurable allowlist of permitted CKAN portals 2. Block private IP ranges (RFC 1918, link-local) 3. Block cloud metadata endpoints (169.254.169.254) 4. Sanitize SQL input for datastore queries 5. SPARQL endpoint allowlist ## Credit Discovered by [Andrei Boldyrev](https://github.com/abcgco) of Munio Security Research using [munio](https://munio.dev)

如何修補 CVE-2026-33060

要修補 CVE-2026-33060,請將受影響套件升級到下列已修補版本。

• —升級至 0.4.85 或更新版本

CVE-2026-33060 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)