Can you explain this vulnerability to me?

CVE-2026-33060 is a Server-Side Request Forgery (SSRF) vulnerability in the CKAN MCP Server versions prior to 0.4.85. The vulnerability arises because certain tools in the server, such as ckan_package_search and sparql_query, accept a base_url parameter without validating it. This allows attackers to make HTTP requests to arbitrary endpoints, including internal network services and cloud metadata endpoints, which a legitimate CKAN client should not access.

There is no URL validation on the base_url parameter, no blocking of private IP ranges (like RFC 1918 addresses or link-local 169.254.x.x), and no blocking of cloud metadata endpoints (169.254.169.254). This lack of restrictions enables attackers to perform unauthorized internal network scanning, steal cloud metadata such as IAM credentials via the Instance Metadata Service, and potentially execute SQL or SPARQL injection attacks through unsanitized query parameters.

Exploitation requires prompt injection to control the base_url parameter, which is considered a high complexity attack vector. The issue was fixed in version 0.4.85 by adding proper validation and restrictions.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have several impacts including unauthorized internal network scanning, which may reveal sensitive internal services and infrastructure details.

Attackers can steal cloud metadata, such as IAM credentials, by accessing the Instance Metadata Service at 169.254.169.254. This can lead to unauthorized access to cloud resources and potential further compromise.

There is also a risk of SQL or SPARQL injection attacks due to unsanitized query parameters, which could lead to data leakage or manipulation.

Overall, the vulnerability can compromise confidentiality of sensitive data and cloud credentials, potentially leading to broader security breaches.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unauthorized HTTP requests originating from the CKAN MCP Server to internal network services or cloud metadata endpoints such as 169.254.169.254.

A proof of concept showed that supplying a malicious base_url pointing to an internal canary HTTP service resulted in multiple unauthorized HTTP requests, indicating the absence of URL validation and rate limiting.

To detect exploitation attempts, you can monitor network traffic for unusual outbound requests to private IP ranges (RFC 1918), link-local addresses (169.254.x.x), or cloud metadata endpoints (169.254.169.254).

• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP requests from the MCP server to suspicious internal or metadata IP addresses.
• Example tcpdump command to capture traffic to cloud metadata IP: tcpdump -i <interface> host 169.254.169.254
• Check application logs for usage of the base_url parameter in ckan_package_search, sparql_query, or ckan_datastore_search_sql tools to identify unexpected or unauthorized URLs.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include validating and restricting the base_url parameter used by the CKAN MCP Server tools to only allow requests to trusted CKAN portals.

Blocking access to private IP ranges (RFC 1918), link-local addresses (169.254.x.x), and cloud metadata endpoints (169.254.169.254) is also recommended to prevent unauthorized internal network scanning and metadata theft.

Sanitizing SQL inputs for datastore queries can help prevent potential SQL/SPARQL injection attacks.

Upgrading the CKAN MCP Server to version 0.4.85 or later, where this vulnerability is fixed, is the most effective mitigation.

Useful 0 Not Useful 0