CVE-2026-7729

Name of the Vulnerable Software and Affected Versions pixelsock directus-mcp version 1.0.0

Description A flaw in the MCP Interface component allows for server-side request forgery (SSRF), a condition where an attacker can induce the server to make requests to an unintended location. This occurs through the manipulation of the fileUrl argument within the validateUrl() function located in the index.ts file. The attack can be executed remotely.

Recommendations As a temporary workaround, restrict the use of the validateUrl() function until the pending pull request is accepted and a fix is released.