Description
A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyze_api_spec/generate_test_scenarios/test_http_endpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-09
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Server‑side request forgery (SSRF) allowing unauthorized outbound requests
Action: Patch
AI Analysis

Impact

The vulnerability originates from improper handling of the source/url parameter in the HTTP Interface of the atototo api‑lab‑mcp component. An attacker can supply an arbitrary URL, causing the server to perform an HTTP request on the attacker's behalf. This server‑side request forgery allows the application to reach destinations that may otherwise be inaccessible, potentially revealing internal resources or exposing user data. The weakness is identified as CWE‑918.

Affected Systems

Affected versions of the atototo api‑lab‑mcp component are 0.0.1 through 0.2.1 inclusive. Any deployment using these releases is susceptible. Updated releases beyond 0.2.1 are not listed as vulnerable in the available information.

Risk and Exploitability

The CVSS v3.1 score of 6.9 indicates a medium severity vulnerability. EPSS data is not provided, and the CVE is not cataloged in the KEV list. The description explicitly states that the attack can be carried out remotely, and public exploit code has been released, suggesting potential exploitation against exposed instances.

Generated by OpenCVE AI on April 9, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade atototo api‑lab‑mcp to the latest version that addresses the SSRF issue.
  • If upgrading is not possible, limit the set of URLs that can be requested through configuration or disable the server‑side request capability.
  • Apply network controls, such as firewall rules, to block outbound requests to internal IP ranges from the service.
  • Monitor application logs for unusual outbound connections and configure alerts for unexpected URL patterns.

Generated by OpenCVE AI on April 9, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Atototo
Atototo api-lab-mcp
Vendors & Products Atototo
Atototo api-lab-mcp

Thu, 09 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyze_api_spec/generate_test_scenarios/test_http_endpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title atototo api-lab-mcp HTTP http-server.ts test_http_endpoint server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Atototo Api-lab-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-09T02:00:22.918Z

Reserved: 2026-04-08T17:10:53.496Z

Link: CVE-2026-5832

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T02:16:18.327

Modified: 2026-04-09T02:16:18.327

Link: CVE-2026-5832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:16Z

Weaknesses