CVE-2026-10280
Description
Server-side request forgery in mcpilot's MCP API Call Endpoint allows remote attackers to make arbitrary server requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Server-side request forgery in mcpilot's MCP API Call Endpoint allows remote attackers to make arbitrary server requests.
Vulnerability
A server-side request forgery (SSRF) vulnerability exists in the MCP API Call Endpoint, specifically within the client/src/app/api/mcp/call/route.ts file of horizon921 mcpilot version 0.1.0. The vulnerability arises from the manipulation of the serverBaseUrl argument, which allows the server to make requests to attacker-chosen internal or local services due to a lack of restrictions on scheme, hostname, port, localhost, or private-network targets [2].
Exploitation
An attacker needs the ability to send requests to the Next.js /api/mcp/call route. The attacker can then provide a user-controlled serverBaseUrl to the API. The affected server will probe MCP-related endpoints on this base URL and subsequently send a server-side POST request to the detected tool endpoint, allowing the server to connect to attacker-chosen services [2].
Impact
Successful exploitation allows an attacker to cause the server to connect to arbitrary internal or local services. This can lead to the disclosure of sensitive information or further compromise of internal network resources, depending on the services accessible from the server [2].
Mitigation
As of the report date, a fixed version was not available. The project was informed of the vulnerability but has not yet responded. Users are advised to monitor the project's GitHub repository for updates [1, 2].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =0.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Next.js API route does not restrict the scheme, hostname, port, localhost, or private-network targets for the user-controlled serverBaseUrl argument."
Attack vector
An attacker can send requests to the Next.js /api/mcp/call route, provided the server has network egress to attacker-chosen or internal targets and no network policy blocks access to localhost or RFC1918 addresses [ref_id=1]. The attacker manipulates the serverBaseUrl argument to point to an internal or local service, causing the server to make a server-side POST request to the detected tool endpoint [ref_id=1].
Affected code
The vulnerability resides in the Next.js API route /api/mcp/call, specifically within the file client/src/app/api/mcp/call/route.ts [ref_id=1]. The user-controlled serverBaseUrl is used in subsequent fetch calls to detect server configuration and send POST requests [ref_id=1].
What the fix does
The advisory does not specify a patch or fixed version. It recommends validating serverBaseUrl before outbound requests, enforcing allowed schemes, hosts, and ports, and adding regression tests to reject localhost and private-network URLs [ref_id=1]. Workarounds include restricting serverBaseUrl to an allowlist and blocking loopback, link-local, RFC1918, and cloud metadata targets [ref_id=1].
Preconditions
- inputThe attacker must be able to send requests to the Next.js /api/mcp/call route.
- networkThe server must have network egress to attacker-chosen or internal targets.
- configNo reverse proxy or network policy blocks access to localhost, RFC1918, link-local, or metadata services.
Reproduction
curl -X POST http://127.0.0.1:3000/api/mcp/call \ -H "Content-Type: application/json" \ -d "{\"serverBaseUrl\":\"http://127.0.0.1:8765\",\"toolName\":\"poc_tool\",\"arguments\":{\"hello\":\"world\"}}"
Run a local listener on 127.0.0.1:8765 and confirm that the mcpilot backend performs GET /mcp-config-schema and POST /call_tool to the attacker-controlled target [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.