CVE-2026-10662
Received Received - Intake
Server-Side Request Forgery in Blender-MCP ZIP Handler

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulDB

Description
A vulnerability was found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The affected element is the function requests.get of the file src/blender_mcp/server.py of the component ZIP File Handler. The manipulation of the argument zip_file_url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The patch is identified as 5b37be25242e73dc4cf1328974d30458b9e5d67e. It is advisable to implement a patch to correct this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-03
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-10662
EUVD
EUVD-2026-34037
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ahujasid blender-mcp to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the ahujasid blender-mcp software, specifically in the function requests.get within the file src/blender_mcp/server.py, which is part of the ZIP File Handler component.

The issue arises from the manipulation of the argument zip_file_url, which leads to a server-side request forgery (SSRF). This means an attacker can make the server send unauthorized requests to other internal or external resources.

The attack can be executed remotely, and the exploit has been made public, increasing the risk of exploitation.

A patch has been identified to fix this issue, and it is recommended to apply it.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to perform server-side request forgery, which may enable them to access internal systems or resources that are not normally accessible from outside.

Such unauthorized requests could lead to information disclosure, unauthorized actions, or further attacks within the network.

Because the attack can be executed remotely and the exploit is public, the risk of compromise is significant if the vulnerability is not patched.


What immediate steps should I take to mitigate this vulnerability?

It is advisable to implement the patch identified as 5b37be25242e73dc4cf1328974d30458b9e5d67e to correct this issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart