CVE-2026-7729
Server-Side Request Forgery in Directus MCP
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pixelsock | directus-mcp | 1.0.0 |
| pixelsock | directus-api-extended | * |
| axios | axios | * |
| modelcontextprotocol | inspector | * |
| form-data | form-data | * |
| path-to-regexp | path-to-regexp | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7729 is a Server-Side Request Forgery (SSRF) vulnerability found in the pixelsock directus-mcp 1.0.0 tool, specifically in the validateUrl function of the MCP Interface component. The vulnerability occurs because the user-supplied fileUrl argument is passed directly to axios.get without proper validation. This allows an attacker to manipulate the fileUrl parameter to make the server perform arbitrary HTTP requests to internal or external destinations, including restricted endpoints such as loopback addresses, private network ranges, and cloud metadata services.
The vulnerability can be exploited remotely if the attacker has network access to the MCP interface. The issue arises from the lack of URL allowlisting, private-address blocking, and redirect validation, enabling attackers to force the server to make requests to attacker-controlled or sensitive internal resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Server-Side Request Forgery (SSRF) that allows attackers to make arbitrary outbound HTTP requests from the MCP server to internal or attacker-controlled destinations. This can lead to high confidentiality risks due to potential unauthorized access to internal resources.
Such unauthorized access and potential information disclosure could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive and personal data against unauthorized access and breaches.
Mitigations such as restricting access to the MCP server, disabling vulnerable features, blocking private network ranges, and validating URLs before requests are essential to reduce the risk of non-compliance.
How can this vulnerability impact me? :
This vulnerability can have several impacts depending on the attacker's goals and the network environment:
- Confidentiality risks: Attackers may gain unauthorized access to internal resources, sensitive data, or cloud metadata services by forcing the server to make requests to these endpoints.
- Integrity risks: Depending on the reachable endpoints, attackers might manipulate or influence internal services, though this risk is generally considered low.
- Availability risks: The vulnerability could cause delays or disruptions in outbound requests, potentially affecting service availability, but this impact is also considered low.
The vulnerability requires that the attacker can invoke the uploadFile tool with a malicious fileUrl and that the MCP server has network egress to the targeted destinations without network-layer restrictions. Exploitation can lead to information disclosure or further exploitation of internal systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual outbound HTTP requests initiated by the MCP server, especially those targeting internal, loopback, or attacker-controlled destinations. Since the vulnerability involves the `fileUrl` parameter being passed unchecked to axios.get, detection can focus on identifying requests made by the MCP interface to unexpected or private IP ranges.
A proof of concept involves setting up a controlled HTTP listener and invoking the `uploadFile` tool with a `fileUrl` pointing to that listener, then observing if the MCP server makes an outbound request to it.
Suggested commands to detect exploitation attempts or test for the vulnerability include:
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outbound HTTP requests from the MCP server to internal or suspicious IP addresses.
- Set up a controlled HTTP server (e.g., using `nc -l -p 8080` or a simple Python HTTP server) and invoke the `uploadFile` tool with a `fileUrl` pointing to this server to see if the MCP server makes a request.
- Check application logs for unexpected outbound HTTP requests or errors related to URL fetching.
- Perform static code analysis or audit the MCP server code to identify usage of axios.get with unvalidated user input.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the MCP server and the `uploadFile` tool to trusted users only, to prevent unprivileged clients from exploiting the vulnerability.
Disabling or blocking the use of the `fileUrl` parameter in the `uploadFile` tool can prevent the SSRF attack vector until a patch is available.
Implement network-layer restrictions such as blocking outbound requests to private, loopback, and internal IP address ranges from the MCP server.
Use egress allowlists to restrict the destinations the MCP server can reach, preventing it from making arbitrary HTTP requests.
Monitor network traffic and logs for suspicious outbound requests that could indicate exploitation attempts.
Apply the fix from the pending pull request once it is accepted, which includes validating URLs before processing, rejecting non-HTTP/HTTPS schemes, blocking forbidden addresses, and preventing redirect-chain bypasses.
Upgrade vulnerable dependencies such as axios, form-data, path-to-regexp, and modelcontextprotocol/inspector as recommended in the fix.