Description
A security flaw has been discovered in TimBroddin astro-mcp-server up to 1.1.1. The impacted element is an unknown function of the file src/index.ts of the component MCP Tool Query Construction. Performing a manipulation of the argument request.params.arguments results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL injection in TimBroddin astro-mcp-server up to version 1.1.1, caused by unsanitized handling of the request.params.arguments argument in the src/index.ts file of the MCP Tool Query Construction component. An attacker can craft malicious input that is incorporated directly into a SQL statement executed by the server, allowing arbitrary SQL commands to be run. This flaw is classified as CWE-74 (Improper Handling of Character Data) and CWE-89 (SQL Injection), enabling unauthorized data access, modification, or deletion by a remote user.

Affected Systems

Affected systems are instances of TimBroddin:astro-mcp-server with versions circulating up to 1.1.1. The vulnerability is not reported beyond this version and the project is hosted on GitHub at the provided repository URL. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity vulnerability, and the EPSS score is not available, so the likelihood of exploitation cannot be quantified accurately. The vulnerability is not listed in CISA’s KEV catalog, but the public release of an exploit means that attackers can reach the remote endpoint to manipulate the argument and inject SQL. Attackers can target the vulnerable endpoint from outside the network by sending a crafted HTTP request, and because no patch is yet published, the risk remains persistent until remediation is applied.

Generated by OpenCVE AI on May 1, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact the vendor and request a patch or update to a version newer than 1.1.1.
  • Replace concatenated query strings with prepared statements or parameterized queries to isolate SQL code from user input.
  • Validate and sanitize the request.params.arguments value before it is used in any SQL statement.
  • Restrict access to the vulnerable endpoint to authenticated and authorized users only.
  • Monitor application logs for unexpected or malicious SQL execution patterns to detect exploitation attempts.

Generated by OpenCVE AI on May 1, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in TimBroddin astro-mcp-server up to 1.1.1. The impacted element is an unknown function of the file src/index.ts of the component MCP Tool Query Construction. Performing a manipulation of the argument request.params.arguments results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title TimBroddin astro-mcp-server MCP Tool Query Construction index.ts sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-01T20:02:42.888Z

Reserved: 2026-05-01T09:37:42.666Z

Link: CVE-2026-7591

cve-icon Vulnrichment

Updated: 2026-05-01T20:02:26.112Z

cve-icon NVD

Status : Deferred

Published: 2026-05-01T19:16:33.783

Modified: 2026-05-01T20:21:53.960

Link: CVE-2026-7591

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T23:00:14Z

Weaknesses