Vulnerability  ·  2026-07-06

AIAnytime Awesome-MCP-Server (mcp-wiki) — Server-Side Request Forgery via url Argument

VulnerabilityMedium impactGlobalCVE-2026-14748
CVE-2026-14748 (CVSS 6.3 Medium, published 2026-07-05) is an SSRF vulnerability in an MCP server tool that summarizes wiki content, reachable by manipulating the url argument passed to the tool.
MCP servers are directly callable by LLM agents; an SSRF here lets a prompt-injected or malicious agent request internal cloud metadata endpoints or internal services from the MCP server's network position.
The wiki-summary MCP tool accepts a caller-supplied url argument without adequate validation, allowing an attacker to make the MCP server issue requests to arbitrary internal or external endpoints (SSRF).
AIAnytime Awesome-MCP-Server, mcp-wiki/wiki-summary component (up to commit a884bb51bcd99e08e14fd712c749d55d9d9a13ab)
No fix version confirmed at disclosure; restrict MCP tool network egress and validate/allowlist target URLs.
NVD CVE-2026-14748SecurityVulnerability.io CVE-2026-14748
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →