CVE-2026-5607
Received Received - Intake
Server-Side Request Forgery in imprvhub MCP-Browser-Agent URL Handler

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in imprvhub mcp-browser-agent up to 0.8.0. This impacts the function CallToolRequestSchema of the file src/handlers.ts of the component URL Parameter Handler. The manipulation of the argument request.params.name/request.params.arguments leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5607
EUVD
EUVD-2026-19144
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imprvhub mcp-browser-agent to 0.8.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5607 is a Server-Side Request Forgery (SSRF) vulnerability found in the imprvhub mcp-browser-agent up to version 0.8.0. It affects the CallToolRequestSchema function in the src/handlers.ts file, specifically in the URL Parameter Handler component.

The vulnerability occurs because user-controlled inputs, specifically request.params.name and request.params.arguments, are passed without proper validation into functions that perform network requests. This allows an attacker to coerce the server into sending requests to arbitrary URLs, including internal or sensitive endpoints.

The attack can be carried out remotely by invoking the MCP transport interface with crafted arguments. There are no effective allowlists, blocklists, or SSRF protections in place to validate or restrict the URLs before they are used in browser navigation or HTTP client requests.

Impact Analysis

This vulnerability can have serious security impacts including unauthorized access to internal systems and exfiltration of sensitive data.

  • Confidentiality risk: Attackers can access internal HTTP services or cloud metadata endpoints and retrieve sensitive information.
  • Integrity and Availability risk: Depending on the internal services reachable, attackers might exploit unsafe internal APIs, potentially causing medium to high impact on system integrity and availability.

Overall, the vulnerability enables network-layer abuse from trusted MCP input, which can lead to significant security breaches if exploited.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized requests to the MCP transport interface, especially those invoking the 'tools/call' method with crafted parameters that include URLs in request.params.name or request.params.arguments.

Detection can involve inspecting logs for JSON-RPC requests that call the 'browser_navigate' tool or other API tools with suspicious URLs, particularly those targeting internal IP ranges (e.g., 127.0.0.1, RFC1918 addresses) or cloud metadata endpoints.

Suggested commands include using network monitoring tools or log analysis to filter for such requests. For example, using grep on server logs to find suspicious calls:

  • grep -i 'browser_navigate' /path/to/mcp-browser-agent/logs
  • grep -E '"params".*"url".*"http://' /path/to/mcp-browser-agent/logs

Additionally, network traffic capture tools like tcpdump or Wireshark can be used to detect outbound requests to internal or unusual IP addresses initiated by the mcp-browser-agent.

Mitigation Strategies

Immediate mitigation steps include enforcing strict URL validation policies on all inputs to the MCP transport interface, especially for the 'args.url' parameter.

  • Implement allowlisting of schemes and hosts, blocking private, link-local, and cloud metadata IP ranges before any use of Playwright's page.goto or APIRequestContext methods.
  • Require authentication, authorization, and auditing on MCP endpoints to restrict access to trusted users only.
  • Apply rate limiting on sensitive tools to reduce the risk of automated exploitation.
  • Prefer outbound proxying with organizational policies rather than allowing direct network egress from the agent host.

Longer term, validate or block 'args.url' and related inputs within the code before invoking vulnerable functions like initApiClient, page.goto, or HTTP client methods.

Compliance Impact

The vulnerability allows server-side request forgery (SSRF), which can lead to unauthorized access to internal systems and exfiltration of sensitive data.

Such unauthorized access and potential data leakage could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive and personal data against unauthorized access.

Because the vulnerability enables attackers to access internal HTTP services and cloud metadata endpoints, it poses a confidentiality risk that may violate these standards' requirements for data confidentiality and integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5607. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart