Description
CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckan_package_search and sparql_query that accept a base_url parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services. There is no URL validation on base_url parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The sparql_query and ckan_datastore_search_sql tools also accept arbitrary base URLs and expose injection surfaces. An attack can lead to internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential SQL/SPARQL injection via unsanitized query parameters. Attack requires prompt injection to control the base_url parameter. This issue has been fixed in version 0.4.85.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Internal Network Access
Action: Immediate Patch
AI Analysis

Impact

CKAN MCP Server, used for querying CKAN open‑data portals, has a Server‑Side Request Forgery flaw in its ckan_package_search and sparql_query tools. The tools accept a base_url parameter that is passed directly to an HTTP client without any form of validation or blocking of internal addresses. An attacker who can influence the base_url value can cause the server to make outgoing requests to arbitrary endpoints, including private networks or cloud metadata services such as 169.254.169.254. This can lead to internal network reconnaissance, theft of IAM credentials via the Instance Metadata Service, or injection of malicious SQL/SPARQL queries through unsanitized query parameters. The weakness is classified as CWE‑918, reflecting unsanitized external redirection.

Affected Systems

The vulnerability is present in the ondata:ckan-mcp-server product in all released versions prior to 0.4.85. Early releases of the tool expose the ckan_package_search, sparql_query, ckan_datastore_search_sql, and ckan_datastore_search_sql tools to the flaw. The issue was resolved in version 0.4.85, which implements proper URL validation and blocking of internal ranges.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate impact. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to be able to supply a crafted base_url parameter; normally this is provided by a CKAN portal client, but the client lacks any legitimate reason to target internal network services. Therefore, the risk is moderate to high if the CKAN MCP Server is exposed to untrusted or third‑party clients, as the attacker could perform internal network scans, retrieve cloud credentials, or inject malformed queries.

Generated by OpenCVE AI on March 20, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CKAN MCP Server to version 0.4.85 or newer.
  • If an upgrade is not immediately possible, restrict the base_url parameter to allow only trusted external URLs and block RFC 1918 and link‑local addresses.
  • Verify that any customizations or wrappers around ckan_package_search and sparql_query enforce URL validation before forwarding requests.

Generated by OpenCVE AI on March 20, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3xm7-qw7j-qc8v SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks
History

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Ondata ckan Mcp Server
CPEs cpe:2.3:a:ondata:ckan_mcp_server:*:*:*:*:*:node.js:*:*
Vendors & Products Ondata ckan Mcp Server

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ondata
Ondata ckan-mcp-server
Vendors & Products Ondata
Ondata ckan-mcp-server

Fri, 20 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckan_package_search and sparql_query that accept a base_url parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services. There is no URL validation on base_url parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The sparql_query and ckan_datastore_search_sql tools also accept arbitrary base URLs and expose injection surfaces. An attack can lead to internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential SQL/SPARQL injection via unsanitized query parameters. Attack requires prompt injection to control the base_url parameter. This issue has been fixed in version 0.4.85.
Title CKAN MCP Server: SSRF via base_url allows access to internal networks
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ondata Ckan-mcp-server Ckan Mcp Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T01:56:33.169Z

Reserved: 2026-03-17T19:27:06.342Z

Link: CVE-2026-33060

cve-icon Vulnrichment

Updated: 2026-03-24T01:56:29.050Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T08:16:11.923

Modified: 2026-04-17T21:06:02.070

Link: CVE-2026-33060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:36:53Z

Weaknesses