{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34476", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-28T02:38:58.575Z", "datePublished": "2026-04-13T13:01:31.156Z", "dateUpdated": "2026-04-13T15:29:57.926Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache SkyWalking MCP", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "0.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Andrea Cosentino <ancosen@gmail.com>"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP.<p></p><p>This issue affects Apache SkyWalking MCP: 0.1.0.</p>Users are recommended to upgrade to version 0.2.0, which fixes this issue.<br></div><br>"}], "value": "Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP.\n\nThis issue affects Apache SkyWalking MCP: 0.1.0.\n\nUsers are recommended to upgrade to version 0.2.0, which fixes this issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-13T13:01:31.156Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/v0k1xyzzbtnpyrwxwyn36pbspr8rhjnr"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T13:58:47.468228Z", "id": "CVE-2026-34476", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:59:29.737Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/13/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-13T15:29:57.926Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/13/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-13T15:29:57.926Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34476", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T13:58:47.468228Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:57:59.986Z"}}], "cna": {"title": "Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Andrea Cosentino <ancosen@gmail.com>"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache SkyWalking MCP", "versions": [{"status": "affected", "version": "0.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/v0k1xyzzbtnpyrwxwyn36pbspr8rhjnr", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP.\n\nThis issue affects Apache SkyWalking MCP: 0.1.0.\n\nUsers are recommended to upgrade to version 0.2.0, which fixes this issue.", "supportingMedia": [{"type": "text/html", "value": "<div>Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP.<p></p><p>This issue affects Apache SkyWalking MCP: 0.1.0.</p>Users are recommended to upgrade to version 0.2.0, which fixes this issue.<br></div><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-13T13:01:31.156Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34476", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:29:57.926Z", "dateReserved": "2026-03-28T02:38:58.575Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-13T13:01:31.156Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:skywalking_mcp:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F427ACA-F1D3-4D26-A416-555D3B2B983F", "versionEndExcluding": "0.2.0", "versionStartIncluding": "0.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP.\n\nThis issue affects Apache SkyWalking MCP: 0.1.0.\n\nUsers are recommended to upgrade to version 0.2.0, which fixes this issue."}], "id": "CVE-2026-34476", "lastModified": "2026-04-20T16:45:47.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T13:16:40.847", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/v0k1xyzzbtnpyrwxwyn36pbspr8rhjnr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2026/04/13/4"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "skywalking", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-13T15:55:01.237183+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Apache SkyWalking MCP to version\u00a00.2.0.", "Verify that the MCP service no longer accepts unauthorized SW\u2011URL headers after the upgrade.", "If an immediate upgrade is not possible, restrict external network access to the MCP endpoint and monitor for suspicious requests."], "summary": {"action": "Patch immediately", "impact": "Server\u2011Side Request Forgery allowing launch of arbitrary outbound requests from the Apache SkyWalking MCP server"}, "threat_synthesis": {"affected_systems": "Apache SkyWalking MCP version\u202f0.1.0 is affected. The vendor recommends upgrading to 0.2.0, which includes the fix. Any deployment running 0.1.0 is potentially exposed.", "description_and_impact": "The SSH\u2011SkyWalking MCP service is vulnerable to Server\u2011Side Request Forgery through its SW\u2011URL header. A remote user who can send a request to the MCP can supply a value for the SW\u2011URL header that the server will resolve and fetch on its behalf. This flaw allows an attacker to target any network host reachable from the MCP, potentially exposing confidential data or enabling pivoting into internal systems. The weakness is identified as CWE\u2011918, reflecting a classic SSRF vulnerability that compromises confidentiality, integrity, and availability of downstream services.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high likelihood of exploitation if an attacker can reach the MCP endpoint. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, implying no known active exploitation yet. However, the attack requires only a crafted request containing a malicious SW\u2011URL header, which makes exploitation straightforward for anyone with network access to the MCP. Successful exploitation would allow the attacker to compel the server to contact arbitrary URLs, potentially leaking internal data or enabling further compromises."}}}}, "created": "2026-04-14T16:19:28.308938+00:00", "updated": "2026-04-14T16:34:35.491017+00:00", "vendors": ["apache", "apache$PRODUCT$skywalking"]}