CVE-2026-45366
Deferred Deferred - Pending Action
Blind SSRF in typescript-utcp @utcp/http Package

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
typescript-utcp is a typescript implementation of UTCP. Prior to 1.1.2, the @utcp/http package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual() validates the discovery URL against an HTTPS / loopback allowlist, but callTool() reuses the resolved toolCallTemplate.url directly without revalidating, and the OpenApiConverter blindly trusts whatever servers[0].url an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. servers: [{ url: "http://127.0.0.1:9090" }] or servers: [{ url: "http://169.254.169.254" }]; the converter then produces tools whose URL points at internal services on the agent host. This vulnerability is fixed in 1.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45366
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
utcp utcp to 1.1.2 (exc)
utcp http to 1.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the @utcp/http package of typescript-utcp prior to version 1.1.2. It is a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation.

Specifically, the registerManual() function validates the discovery URL against an HTTPS and loopback allowlist, but the callTool() function reuses the resolved toolCallTemplate.url without revalidating it. Additionally, the OpenApiConverter blindly trusts the servers[0].url declared in an attacker-hosted OpenAPI specification.

An attacker can host a malicious OpenAPI spec on a legitimate HTTPS endpoint and declare internal URLs such as http://127.0.0.1:9090 or http://169.254.169.254. The converter then produces tools whose URLs point to internal services on the agent host, enabling SSRF attacks.

This vulnerability was fixed in version 1.1.2.

Impact Analysis

This vulnerability can allow an attacker to perform blind Server-Side Request Forgery (SSRF) attacks by making the vulnerable system send requests to internal services that are normally inaccessible externally.

Such SSRF attacks can lead to unauthorized access to internal resources, potential information disclosure, or interaction with internal services that may not be properly secured.

Because the attacker can cause the system to send requests to internal IP addresses like 127.0.0.1 or 169.254.169.254, this could be used to access sensitive metadata services or other internal endpoints.

The CVSS score of 4.7 indicates a medium severity impact, with low confidentiality and integrity impact but no availability impact.

Mitigation Strategies

To mitigate this vulnerability, upgrade the @utcp/http package to version 1.1.2 or later, where the issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45366. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart