CVE-2026-33060
Received Received - Intake
Server-Side Request Forgery and Injection in CKAN MCP Server

Publication date: 2026-03-20

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckan_package_search and sparql_query that accept a base_url parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services. There is no URL validation on base_url parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The sparql_query and ckan_datastore_search_sql tools also accept arbitrary base URLs and expose injection surfaces. An attack can lead to internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential SQL/SPARQL injection via unsanitized query parameters. Attack requires prompt injection to control the base_url parameter. This issue has been fixed in version 0.4.85.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33060
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ondata ckan_mcp_server to 0.4.85 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33060 is a Server-Side Request Forgery (SSRF) vulnerability in the CKAN MCP Server versions prior to 0.4.85. The vulnerability arises because certain tools in the server, such as ckan_package_search and sparql_query, accept a base_url parameter without validating it. This allows attackers to make HTTP requests to arbitrary endpoints, including internal network services and cloud metadata endpoints, which a legitimate CKAN client should not access.

There is no URL validation on the base_url parameter, no blocking of private IP ranges (like RFC 1918 addresses or link-local 169.254.x.x), and no blocking of cloud metadata endpoints (169.254.169.254). This lack of restrictions enables attackers to perform unauthorized internal network scanning, steal cloud metadata such as IAM credentials via the Instance Metadata Service, and potentially execute SQL or SPARQL injection attacks through unsanitized query parameters.

Exploitation requires prompt injection to control the base_url parameter, which is considered a high complexity attack vector. The issue was fixed in version 0.4.85 by adding proper validation and restrictions.

Impact Analysis

This vulnerability can have several impacts including unauthorized internal network scanning, which may reveal sensitive internal services and infrastructure details.

Attackers can steal cloud metadata, such as IAM credentials, by accessing the Instance Metadata Service at 169.254.169.254. This can lead to unauthorized access to cloud resources and potential further compromise.

There is also a risk of SQL or SPARQL injection attacks due to unsanitized query parameters, which could lead to data leakage or manipulation.

Overall, the vulnerability can compromise confidentiality of sensitive data and cloud credentials, potentially leading to broader security breaches.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized HTTP requests originating from the CKAN MCP Server to internal network services or cloud metadata endpoints such as 169.254.169.254.

A proof of concept showed that supplying a malicious base_url pointing to an internal canary HTTP service resulted in multiple unauthorized HTTP requests, indicating the absence of URL validation and rate limiting.

To detect exploitation attempts, you can monitor network traffic for unusual outbound requests to private IP ranges (RFC 1918), link-local addresses (169.254.x.x), or cloud metadata endpoints (169.254.169.254).

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP requests from the MCP server to suspicious internal or metadata IP addresses.
  • Example tcpdump command to capture traffic to cloud metadata IP: tcpdump -i <interface> host 169.254.169.254
  • Check application logs for usage of the base_url parameter in ckan_package_search, sparql_query, or ckan_datastore_search_sql tools to identify unexpected or unauthorized URLs.
Mitigation Strategies

Immediate mitigation steps include validating and restricting the base_url parameter used by the CKAN MCP Server tools to only allow requests to trusted CKAN portals.

Blocking access to private IP ranges (RFC 1918), link-local addresses (169.254.x.x), and cloud metadata endpoints (169.254.169.254) is also recommended to prevent unauthorized internal network scanning and metadata theft.

Sanitizing SQL inputs for datastore queries can help prevent potential SQL/SPARQL injection attacks.

Upgrading the CKAN MCP Server to version 0.4.85 or later, where this vulnerability is fixed, is the most effective mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33060. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart