CVE-2026-33060

Name of the Vulnerable Software and Affected Versions CKAN MCP Server versions prior to 0.4.85

Description CKAN MCP Server, a tool for querying CKAN open data portals, contains a flaw in the ckan package search and sparql query tools. These tools accept a base url parameter and make HTTP requests to arbitrary endpoints without validation. A legitimate CKAN portal client does not require contact with cloud metadata or internal network services. The lack of URL validation, private IP blocking (RFC 1918, link-local 169.254.x.x), and cloud metadata blocking allows for potential internal network scanning and theft of cloud metadata, including IAM credentials via IMDS at 169.254.169.254. The sparql query and ckan datastore search sql tools are also affected, exposing injection surfaces. Exploitation requires prompt injection to control the base url parameter. This can potentially lead to SQL or SPARQL injection due to unsanitized query parameters.

Recommendations Versions prior to 0.4.85: Validate the base url parameter against a configurable allowlist of permitted CKAN portals. Versions prior to 0.4.85: Block private IP ranges (RFC 1918, link-local). Versions prior to 0.4.85: Block cloud metadata endpoints (169.254.169.254). Versions prior to 0.4.85: Sanitize SQL input for datastore queries. Versions prior to 0.4.85: Implement an allowlist for the SPARQL endpoint.