PT-2026-35653 · Tencent · Cloudbase-Mcp
Brucejin
·
Published
2026-04-28
·
Updated
2026-04-29
·
CVE-2026-7221
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
TencentCloudBase CloudBase-MCP versions prior to 2.17.1
Description
Remote manipulation of the
req.body.url variable within the openUrl() function of the mcp/src/interactive-server.ts file in the open-url component allows for server-side request forgery (SSRF). SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location.Recommendations
Upgrade to version 2.17.1.
As a temporary workaround, restrict access to the
openUrl() function until the update is applied.Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloudbase-Mcp