CVE-2026-5323
Received Received - Intake
Server-Side Request Forgery in priyankark a11y-mcp Local Component

Publication date: 2026-04-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in priyankark a11y-mcp up to 1.0.5. This vulnerability affects the function A11yServer of the file src/index.js. The manipulation results in server-side request forgery. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. Upgrading to version 1.0.6 is able to resolve this issue. The patch is identified as e3e11c9e8482bd06b82fd9fced67be4856f0dffc. It is recommended to upgrade the affected component. The vendor acknowledged the issue but provides additional context for the CVSS rating: "a11y-mcp is a local stdio MCP server - it has no HTTP endpoint and is not network-accessible. The caller is always the local user or an LLM acting on their behalf with user approval."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-04-02
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5323
EUVD
EUVD-2026-18130
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
priyankark a11y-mcp to 1.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-5323 is a Server-Side Request Forgery (SSRF) vulnerability found in the a11y-mcp project, specifically in the function A11yServer within src/index.js. The vulnerability occurs because the server accepts URLs from local users and passes them directly to Puppeteer's navigation method without proper validation or restrictions. This allows an attacker with local access to cause the server to make HTTP requests to arbitrary internal or external resources, including sensitive internal network addresses or cloud metadata endpoints.

The vulnerability requires the attacker to have local access to invoke the vulnerable handlers, as the server is not network-accessible externally. The issue was publicly disclosed and fixed in version 1.0.6 by introducing strict URL validation to block requests to internal or disallowed network addresses.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker with local access to make the server perform unauthorized HTTP requests to internal or external resources. This can lead to several security risks:

  • Confidentiality risks if internal HTTP services or cloud metadata endpoints are accessed, potentially exposing sensitive information.
  • Integrity risks if internal APIs accept state-changing requests, allowing modification of internal data or configurations.
  • Availability risks due to potential request flooding or long-running fetches that could degrade server performance.

However, exploitation requires local access and the ability to invoke the vulnerable MCP handlers, which are not network-exposed by default.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

The vulnerability involves server-side request forgery (SSRF) in the a11y-mcp MCP server, specifically in handlers that accept URLs and navigate to them using Puppeteer without strict validation.

Detection can be performed by monitoring or intercepting calls to the vulnerable MCP handlers such as `audit_webpage` and `get_summary` that accept URLs. Observing unexpected or suspicious navigation requests to internal or external resources from the server may indicate exploitation.

A proof-of-concept involves sending JSON-RPC requests to the `tools/call` method with attacker-controlled URLs, for example targeting internal IPs like `http://127.0.0.1:8000/ssrf_test`.

Suggested commands or detection methods include:

  • Monitor logs or network traffic for outbound HTTP requests initiated by the a11y-mcp server to unexpected internal IPs or cloud metadata endpoints.
  • Use JSON-RPC client tools to test the MCP server by invoking the vulnerable handlers with controlled URLs to see if the server performs navigation to those URLs.
  • Example JSON-RPC request to test SSRF (replace URL with target): ``` { "jsonrpc": "2.0", "method": "tools/call", "params": { "tool": "audit_webpage", "args": {"url": "http://127.0.0.1:8000/ssrf_test"} }, "id": 1 } ```

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade the a11y-mcp component to version 1.0.6 or later, which includes the patch that implements strict URL validation to prevent SSRF.

Additional immediate steps include:

  • Apply strict URL allowlists for scheme, host, port, and path to reject requests to loopback, link-local, private IP ranges, and cloud metadata endpoints.
  • Disable or restrict the ability to invoke vulnerable MCP handlers from untrusted or unauthenticated sources.
  • Add authentication, authorization, audit logging, and rate limiting around sensitive MCP or HTTP handlers.
  • If upgrading immediately is not possible, consider disabling or restricting the affected functionality to prevent exploitation.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided context and resources do not explicitly discuss the impact of CVE-2026-5323 on compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart