Abcgco

**Name of the Vulnerable Software and Affected Versions** CKAN MCP Server versions prior to 0.4.85 **Description** CKAN MCP Server, a tool for querying CKAN open data portals, contains a flaw in the `ckan package search` and `sparql query` tools. These tools accept a `base url` parameter and make HTTP requests to arbitrary endpoints without validation. A legitimate CKAN portal client does not require contact with cloud metadata or internal network services. The lack of URL validation, private IP blocking (RFC 1918, link-local 169.254.x.x), and cloud metadata blocking allows for potential internal network scanning and theft of cloud metadata, including IAM credentials via IMDS at 169.254.169.254. The `sparql query` and `ckan datastore search sql` tools are also affected, exposing injection surfaces. Exploitation requires prompt injection to control the `base url` parameter. This can potentially lead to SQL or SPARQL injection due to unsanitized query parameters. **Recommendations** Versions prior to 0.4.85: Validate the `base url` parameter against a configurable allowlist of permitted CKAN portals. Versions prior to 0.4.85: Block private IP ranges (RFC 1918, link-local). Versions prior to 0.4.85: Block cloud metadata endpoints (169.254.169.254). Versions prior to 0.4.85: Sanitize SQL input for datastore queries. Versions prior to 0.4.85: Implement an allowlist for the SPARQL endpoint.