{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33060", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.342Z", "datePublished": "2026-03-20T07:21:30.897Z", "dateUpdated": "2026-03-24T01:56:33.169Z"}, "containers": {"cna": {"title": "CKAN MCP Server: SSRF via base_url allows access to internal networks", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ondata/ckan-mcp-server/security/advisories/GHSA-3xm7-qw7j-qc8v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ondata/ckan-mcp-server/security/advisories/GHSA-3xm7-qw7j-qc8v"}, {"name": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24", "tags": ["x_refsource_MISC"], "url": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24"}], "affected": [{"vendor": "ondata", "product": "ckan-mcp-server", "versions": [{"version": "< 0.4.85", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T07:21:30.897Z"}, "descriptions": [{"lang": "en", "value": "CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckan_package_search and sparql_query that accept a base_url parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services. There is no URL validation on base_url parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The sparql_query and ckan_datastore_search_sql tools also accept arbitrary base URLs and expose injection surfaces. An attack can lead to internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential SQL/SPARQL injection via unsanitized query parameters. Attack requires prompt injection to control the base_url parameter. This issue has been fixed in version 0.4.85."}], "source": {"advisory": "GHSA-3xm7-qw7j-qc8v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T01:56:21.382987Z", "id": "CVE-2026-33060", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T01:56:33.169Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33060", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T01:56:21.382987Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T01:56:29.050Z"}}], "cna": {"title": "CKAN MCP Server: SSRF via base_url allows access to internal networks", "source": {"advisory": "GHSA-3xm7-qw7j-qc8v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ondata", "product": "ckan-mcp-server", "versions": [{"status": "affected", "version": "< 0.4.85"}]}], "references": [{"url": "https://github.com/ondata/ckan-mcp-server/security/advisories/GHSA-3xm7-qw7j-qc8v", "name": "https://github.com/ondata/ckan-mcp-server/security/advisories/GHSA-3xm7-qw7j-qc8v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24", "name": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckan_package_search and sparql_query that accept a base_url parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services. There is no URL validation on base_url parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The sparql_query and ckan_datastore_search_sql tools also accept arbitrary base URLs and expose injection surfaces. An attack can lead to internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential SQL/SPARQL injection via unsanitized query parameters. Attack requires prompt injection to control the base_url parameter. This issue has been fixed in version 0.4.85."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T07:21:30.897Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33060", "state": "PUBLISHED", "dateUpdated": "2026-03-24T01:56:33.169Z", "dateReserved": "2026-03-17T19:27:06.342Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T07:21:30.897Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ondata:ckan_mcp_server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "69380743-B2D7-4077-B54B-3293B1B65DDA", "versionEndExcluding": "0.4.85", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckan_package_search and sparql_query that accept a base_url parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services. There is no URL validation on base_url parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The sparql_query and ckan_datastore_search_sql tools also accept arbitrary base URLs and expose injection surfaces. An attack can lead to internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential SQL/SPARQL injection via unsanitized query parameters. Attack requires prompt injection to control the base_url parameter. This issue has been fixed in version 0.4.85."}, {"lang": "es", "value": "CKAN MCP Server es una herramienta para consultar portales de datos abiertos CKAN. Las versiones anteriores a la 0.4.85 proporcionan herramientas que incluyen ckan_package_search y sparql_query que aceptan un par\u00e1metro base_url, realizando solicitudes HTTP a puntos finales arbitrarios sin restricci\u00f3n. Un cliente de portal CKAN no tiene ninguna raz\u00f3n leg\u00edtima para contactar metadatos de la nube o servicios de red internos. No hay validaci\u00f3n de URL en el par\u00e1metro base_url. No hay bloqueo de IP privadas (RFC 1918, link-local 169.254.x.x), no hay bloqueo de metadatos de la nube. Las herramientas sparql_query y ckan_datastore_search_sql tambi\u00e9n aceptan URLs base arbitrarias y exponen superficies de inyecci\u00f3n. Un ataque puede conducir a escaneo de red interno, robo de metadatos de la nube (credenciales IAM a trav\u00e9s de IMDS en 169.254.169.254), inyecci\u00f3n potencial de SQL/SPARQL a trav\u00e9s de par\u00e1metros de consulta no saneados. El ataque requiere inyecci\u00f3n de prompt para controlar el par\u00e1metro base_url. Este problema ha sido solucionado en la versi\u00f3n 0.4.85."}], "id": "CVE-2026-33060", "lastModified": "2026-04-17T21:06:02.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T08:16:11.923", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kysely-org/kysely/commit/0a602bff2f442f6c26d5e047ca8f8715179f6d24"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/ondata/ckan-mcp-server/security/advisories/GHSA-3xm7-qw7j-qc8v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.85)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ckan-mcp-server", "source": "cna", "vendor": "ondata"}, "product": "ckan-mcp-server", "vendor": "ondata"}], "analysis": {"en": {"generated_at": "2026-03-20T08:50:30.785156+00:00", "value": {"mitigation_remediation": ["Upgrade CKAN MCP Server to version 0.4.85 or newer.", "If an upgrade is not immediately possible, restrict the base_url parameter to allow only trusted external URLs and block RFC 1918 and link\u2011local addresses.", "Verify that any customizations or wrappers around ckan_package_search and sparql_query enforce URL validation before forwarding requests."], "summary": {"action": "Immediate Patch", "impact": "Internal Network Access"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the ondata:ckan-mcp-server product in all released versions prior to 0.4.85. Early releases of the tool expose the ckan_package_search, sparql_query, ckan_datastore_search_sql, and ckan_datastore_search_sql tools to the flaw. The issue was resolved in version 0.4.85, which implements proper URL validation and blocking of internal ranges.", "description_and_impact": "CKAN MCP Server, used for querying CKAN open\u2011data portals, has a Server\u2011Side Request Forgery flaw in its ckan_package_search and sparql_query tools. The tools accept a base_url parameter that is passed directly to an HTTP client without any form of validation or blocking of internal addresses. An attacker who can influence the base_url value can cause the server to make outgoing requests to arbitrary endpoints, including private networks or cloud metadata services such as 169.254.169.254. This can lead to internal network reconnaissance, theft of IAM credentials via the Instance Metadata Service, or injection of malicious SQL/SPARQL queries through unsanitized query parameters. The weakness is classified as CWE\u2011918, reflecting unsanitized external redirection.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates a moderate impact. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to be able to supply a crafted base_url parameter; normally this is provided by a CKAN portal client, but the client lacks any legitimate reason to target internal network services. Therefore, the risk is moderate to high if the CKAN MCP Server is exposed to untrusted or third\u2011party clients, as the attacker could perform internal network scans, retrieve cloud credentials, or inject malformed queries."}}}}, "created": "2026-03-20T08:52:13.839076+00:00", "updated": "2026-03-20T10:36:53.016888+00:00", "vendors": ["ondata", "ondata$PRODUCT$ckan-mcp-server"]}