CVE-2026-44661

Name of the Vulnerable Software and Affected Versions python-utcp versions prior to 1.1.3

Description The utcp-http plugin is subject to a blind Server-Side Request Forgery (SSRF), a flaw where an attacker can induce the server to make requests to an unintended location. This occurs due to a trust-boundary inconsistency between manual discovery and tool invocation. While the register manual() function validates the discovery URL against an HTTPS or loopback allowlist, the call tool() and call tool streaming() functions reuse the resolved tool call template.url without revalidation. Additionally, the OpenAPI converter trusts the servers[0].url declared in an attacker-hosted specification. An attacker hosting a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare internal addresses, such as http://127.0.0.1:9090 or http://169.254.169.254, causing the converter to produce tools that point to internal services on the agent host. This gap affects the utcp http.http, utcp http.streamable http, and utcp http.sse protocols. A separate prefix-bypass existed where a check using startswith("http://localhost") allowed URLs like http://localhost.evil.com to pass.

Recommendations Update to version 1.1.3. Refuse to call register manual() with any URL controlled by an untrusted party, even over HTTPS. Restrict outbound network access from the host running the agent to ensure internal addresses, such as RFC1918, 169.254.0.0/16, and loopback for cloud metadata, are unreachable.