Description
python-utcp is the python implementation of UTCP. Prior to 1.1.3, the utcp-http plugin is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. register_manual() validates the discovery URL against an HTTPS / loopback allowlist, but call_tool() and call_tool_streaming() reuse the resolved tool_call_template.url directly without revalidating, and the OpenAPI converter blindly trusts whatever servers[0].url an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. servers: [{ url: "http://127.0.0.1:9090" }] or servers: [{ url: "http://169.254.169.254" }]; the OpenAPI converter then produces tools whose URL points at internal services on the agent host. All three HTTP-class protocols (utcp_http.http, utcp_http.streamable_http, utcp_http.sse) shared the same gap. This vulnerability is fixed in 1.1.3.
Published: 2026-05-14
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from the utcp-http plugin of python-utcp where input validation performed during manual discovery is not repeated when a tool is invoked. A malicious OpenAPI specification can be hosted on a legitimate HTTPS domain and contain a servers[0].url pointing to internal addresses such as 127.0.0.1 or the metadata service. When the client processes this spec, it blindly trusts the declared server URL and sends HTTP requests to the specified internal service, revealing the internal network or sensitive data. This is a blind SSRF, giving the attacker indirect control over the host's outbound connections without requiring authentication.

Affected Systems

Affected software is the python-utcp implementation of UTCP. Versions prior to 1.1.3 are vulnerable. The bug exists in all three HTTP‑class protocols that the plugin supports: utcp_http.http, utcp_http.streamable_http, and utcp_http.sse.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a remote attacker hosting a malicious OpenAPI specification on a trusted HTTPS server that the victim’s python-utcp client accesses. Because no authentication or additional credentials are required, the vulnerability can be leveraged by anyone who can influence the URL that the client processes. The exploit probability is uncertain due to missing EPSS data but the presence of the flaw in a widely used protocol library suggests potential for exploitation in environments where OpenAPI specs are fetched from external sources.

Generated by OpenCVE AI on May 14, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update python-utcp to version 1.1.3 or later, where the SSRF bug is fixed.
  • Restrict the sources from which OpenAPI specifications can be pulled, for example by ensuring that only HTTPS URLs from trusted origins or signed certificates are allowed.
  • If an immediate upgrade is not available, block outbound traffic to internal IP ranges from the client host or implement network segmentation to prevent the client from reaching sensitive internal services.

Generated by OpenCVE AI on May 14, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-39j6-4867-gg4w utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description python-utcp is the python implementation of UTCP. Prior to 1.1.3, the utcp-http plugin is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. register_manual() validates the discovery URL against an HTTPS / loopback allowlist, but call_tool() and call_tool_streaming() reuse the resolved tool_call_template.url directly without revalidating, and the OpenAPI converter blindly trusts whatever servers[0].url an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. servers: [{ url: "http://127.0.0.1:9090" }] or servers: [{ url: "http://169.254.169.254" }]; the OpenAPI converter then produces tools whose URL points at internal services on the agent host. All three HTTP-class protocols (utcp_http.http, utcp_http.streamable_http, utcp_http.sse) shared the same gap. This vulnerability is fixed in 1.1.3.
Title python-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T11:25:09.347Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44661

cve-icon Vulnrichment

Updated: 2026-05-15T11:24:54.113Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T21:16:47.100

Modified: 2026-05-15T14:53:48.823

Link: CVE-2026-44661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T21:30:12Z

Weaknesses