CVE-2026-15525
Received Received - Intake

Server-Side Request Forgery in kLOsk adloop

Vulnerability report for CVE-2026-15525, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A vulnerability was detected in kLOsk adloop up to 0.9.0. This vulnerability affects the function _validate_urls of the file src/adloop/ads/write.py. Performing a manipulation of the argument final_url results in server-side request forgery. The attack may be initiated remotely. The exploit is now public and may be used. Upgrading to version 0.10.0 is able to resolve this issue. The patch is named 217399723e3a2fb39389e5355d49ed80aaf9ea7c. Upgrading the affected component is advised.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
klosk adloop to 0.10.0 (exc)
klosk adloop 0.10.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the kLOsk adloop software up to version 0.9.0, specifically in the _validate_urls function of the src/adloop/ads/write.py file. The function improperly handles the final_url parameter by passing it directly to urllib.request.urlopen() without validating the URL scheme or host.

Because of this lack of validation, an attacker can manipulate the final_url argument to perform a Server-Side Request Forgery (SSRF) attack. This means the attacker can make the server send requests to internal or otherwise inaccessible network endpoints, such as local IP addresses (e.g., 127.0.0.1) or cloud metadata services (e.g., 169.254.169.254).

Additionally, the vulnerability allows local file access through the file:// scheme, enabling the attacker to probe for the existence of local files on the server.

The attack can be initiated remotely and is triggered during the preview or validation step before any Google API authentication, making it exploitable as soon as the MCP server is running. The vulnerability is considered a blind SSRF and local-file existence oracle.

Upgrading to version 0.10.0, which includes stricter URL validation rejecting unsafe schemes and private addresses, resolves this issue.

Impact Analysis

This vulnerability can impact you by allowing an attacker to make the vulnerable server perform unauthorized requests to internal network services or local files that are normally inaccessible from outside.

Such SSRF attacks can be used to scan internal ports, access sensitive internal admin endpoints, retrieve cloud metadata (which may contain credentials), or probe local files for existence, potentially leading to information disclosure.

Because the attack is blind (the response content is not returned to the attacker), it may be used for reconnaissance to gather information about the internal network or server environment.

This can lead to further exploitation, privilege escalation, or unauthorized access to sensitive data or services within your infrastructure.

Detection Guidance

This vulnerability involves server-side request forgery (SSRF) through manipulation of the final_url parameter in the _validate_urls function. Detection can focus on monitoring for unusual or unauthorized outbound requests initiated by the adloop server, especially requests to internal IP addresses such as 127.0.0.1 or 169.254.169.254, or requests using unsafe URL schemes like file://.

Since the vulnerability is triggered during URL validation before Google API authentication, network monitoring tools can be used to detect suspicious HTTP requests originating from the adloop process.

Suggested commands to detect exploitation attempts include:

  • Use network monitoring tools like tcpdump or Wireshark to capture outbound traffic from the adloop server process and filter for requests to internal IP ranges or unusual URL schemes.
  • Example tcpdump command to monitor HTTP requests from the server: sudo tcpdump -i any -nn host 127.0.0.1 or host 169.254.169.254
  • Check application logs for calls to _validate_urls or draft tools that include suspicious final_url parameters.
  • Use process monitoring tools (e.g., lsof, netstat) to identify unexpected outbound connections from the adloop process.
Mitigation Strategies

The primary immediate mitigation step is to upgrade the adloop package to version 0.10.0 or later, which includes a patch that enforces stricter URL validation to prevent SSRF attacks by rejecting unsafe URL schemes and private or internal IP addresses.

If upgrading immediately is not possible, consider implementing network-level restrictions to block outbound requests from the adloop server to internal IP ranges and disallow unsafe URL schemes.

Additionally, review and restrict access to the adloop server to trusted users only, as the vulnerability can be exploited remotely via manipulated final_url parameters.

Running the command `adloop init` after upgrading is necessary to set up the required Google Cloud project configuration.

Compliance Impact

The vulnerability in kLOsk adloop up to version 0.9.0 allows server-side request forgery (SSRF) and local file access due to insufficient URL validation. This can enable attackers to access internal endpoints and local files, potentially exposing sensitive data.

While the provided context does not explicitly mention direct impacts on compliance with standards like GDPR or HIPAA, SSRF vulnerabilities can lead to unauthorized access to sensitive personal or protected health information if such data is stored or accessible internally. This could result in violations of data protection regulations by exposing or leaking confidential information.

The patched version 0.10.0 includes stricter URL validation to prevent SSRF attacks by rejecting unsafe schemes and private addresses, which helps mitigate risks that could affect compliance with data protection standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart