Executive Summary

CVE-2026-7147 is a Server-Side Request Forgery (SSRF) vulnerability found in the mcp-chat-studio project, specifically in the file server/routes/llm.js and related workflow execution components.

The issue arises because user-controlled input, such as the HTTP request parameter req.query.base_url and parts of the request body (llmConfig), are used directly in outbound HTTP requests without proper validation or sanitization.

This allows an attacker to manipulate these parameters to make the server send HTTP requests to arbitrary URLs, including internal network addresses or cloud metadata services, potentially exposing sensitive internal resources.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-7147 vulnerability is a Server-Side Request Forgery (SSRF) issue that can lead to high confidentiality risks if internal HTTP services or cloud metadata endpoints are accessed. This exposure of sensitive data could potentially impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Because the vulnerability allows attackers to make arbitrary HTTP requests from the server, it may lead to unauthorized disclosure of sensitive data, violating confidentiality requirements mandated by these standards.

Mitigations such as strict allowlists, authentication, authorization, and audit logging are recommended to reduce the risk and help maintain compliance with these regulations.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can impact you by allowing attackers to make the vulnerable server perform HTTP requests to arbitrary destinations, including internal or protected network resources.

• Confidentiality risk: Attackers may access sensitive internal data or cloud metadata endpoints.
• Integrity risk: Depending on the internal APIs, attackers might trigger state-changing operations, though this risk is lower.
• Availability risk: Attackers could cause denial of service by flooding requests or triggering long-running operations.

Overall, the vulnerability can lead to unauthorized information disclosure and potential disruption of services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the Server-Side Request Forgery (SSRF) via the vulnerable HTTP endpoints that accept user-controlled URLs.

Two example commands to test for the vulnerability are:

• Using curl to test the /api/llm/models endpoint by supplying a base_url parameter that points to an internal or attacker-controlled server: curl -s 'http://127.0.0.1:3000/api/llm/models?base_url=http://127.0.0.1:11434'
• Using curl to test the workflow execution endpoint with an attacker-supplied LLM base URL in the JSON body: curl -s http://127.0.0.1:3000/api/workflows/test/execute -H 'Content-Type: application/json' -d '{"input":"hello","llmConfig":{"provider":"openai","base_url":"http://127.0.0.1:8000","api_key":"x","model":"gpt-4o-mini"}}'

Successful responses or unexpected outbound requests from the server to the specified URLs indicate the presence of the SSRF vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing strict validation and filtering of user-supplied URLs to prevent SSRF exploitation.

• Implement strict allowlists for URL schemes, hosts, ports, and paths to restrict outbound requests.
• Reject requests targeting loopback addresses, link-local addresses, RFC1918 private IP ranges, and cloud metadata services after DNS resolution and redirect handling.
• Disable or restrict user-supplied fetch/navigation targets unless explicitly required by business logic.
• Add authentication, authorization, audit logging, and rate limiting on sensitive endpoints to reduce attack surface.

Long-term fixes include removing direct flow of attacker-controlled input to outbound HTTP request functions and adding schema validation at the application boundary.

Useful 0 Not Useful 0