{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5832", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-08T17:10:53.496Z", "datePublished": "2026-04-09T02:00:22.918Z", "dateUpdated": "2026-04-09T02:00:22.918Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-09T02:00:22.918Z"}, "title": "atototo api-lab-mcp HTTP http-server.ts test_http_endpoint server-side request forgery", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "Server-Side Request Forgery"}]}], "affected": [{"vendor": "atototo", "product": "api-lab-mcp", "versions": [{"version": "0.2.0", "status": "affected"}, {"version": "0.2.1", "status": "affected"}], "modules": ["HTTP Interface"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyze_api_spec/generate_test_scenarios/test_http_endpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-08T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-08T19:15:57.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "BruceJin (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356288", "name": "VDB-356288 | atototo api-lab-mcp HTTP http-server.ts test_http_endpoint server-side request forgery", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356288/cti", "name": "VDB-356288 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/789765", "name": "Submit #789765 | atototo api-lab-mcp 0.2.1 Server-Side Request Forgery", "tags": ["third-party-advisory"]}, {"url": "https://github.com/atototo/api-lab-mcp/issues/4", "tags": ["issue-tracking"]}, {"url": "https://github.com/BruceJqs/public_exp/issues/6", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/atototo/api-lab-mcp/", "tags": ["product"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyze_api_spec/generate_test_scenarios/test_http_endpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5832", "lastModified": "2026-04-09T02:16:18.327", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-09T02:16:18.327", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/BruceJqs/public_exp/issues/6"}, {"source": "cna@vuldb.com", "url": "https://github.com/atototo/api-lab-mcp/"}, {"source": "cna@vuldb.com", "url": "https://github.com/atototo/api-lab-mcp/issues/4"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/789765"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356288"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356288/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.2.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "api-lab-mcp", "source": "cna", "vendor": "atototo"}, "product": "api-lab-mcp", "vendor": "atototo"}], "analysis": {"en": {"generated_at": "2026-04-09T03:50:56.934469+00:00", "value": {"mitigation_remediation": ["Upgrade atototo api\u2011lab\u2011mcp to the latest version that addresses the SSRF issue.", "If upgrading is not possible, limit the set of URLs that can be requested through configuration or disable the server\u2011side request capability.", "Apply network controls, such as firewall rules, to block outbound requests to internal IP ranges from the service.", "Monitor application logs for unusual outbound connections and configure alerts for unexpected URL patterns."], "summary": {"action": "Patch", "impact": "Server\u2011side request forgery (SSRF) allowing unauthorized outbound requests"}, "threat_synthesis": {"affected_systems": "Affected versions of the atototo api\u2011lab\u2011mcp component are 0.0.1 through 0.2.1 inclusive. Any deployment using these releases is susceptible. Updated releases beyond 0.2.1 are not listed as vulnerable in the available information.", "description_and_impact": "The vulnerability originates from improper handling of the source/url parameter in the HTTP Interface of the atototo api\u2011lab\u2011mcp component. An attacker can supply an arbitrary URL, causing the server to perform an HTTP request on the attacker's behalf. This server\u2011side request forgery allows the application to reach destinations that may otherwise be inaccessible, potentially revealing internal resources or exposing user data. The weakness is identified as CWE\u2011918.", "risk_and_exploitability": "The CVSS v3.1 score of 6.9 indicates a medium severity vulnerability. EPSS data is not provided, and the CVE is not cataloged in the KEV list. The description explicitly states that the attack can be carried out remotely, and public exploit code has been released, suggesting potential exploitation against exposed instances."}}}}, "created": "2026-04-09T08:15:50.216981+00:00", "updated": "2026-04-09T08:25:16.793712+00:00", "vendors": ["atototo", "atototo$PRODUCT$api-lab-mcp"]}