Vulnerability  ·  2026-07-07

AIAnytime Awesome-MCP-Server (mcp-wiki) — SSRF via Wiki-Summary URL Argument

VulnerabilityMedium impactGlobalCVE-2026-14748
A server-side request forgery flaw in the mcp-wiki component of this MCP server collection lets an attacker manipulate the url parameter to make the server issue requests to arbitrary destinations, including internal network resources.
SSRF in any MCP tool server can be used to probe internal networks or reach cloud metadata endpoints when the MCP server runs in a cloud environment adjacent to other AI infrastructure, though this specific project has a narrow deployment footprint.
The mcp-wiki/wiki-summary component's server.py handles the url argument without validating the destination, allowing an attacker to trigger server-side requests against internal or restricted network destinations.
AIAnytime Awesome-MCP-Server up to commit a884bb51bcd99e08e14fd712c749d55d9d9a13ab
Apply an allowlist for the url argument or validate destinations against a denylist of internal address ranges; check upstream repository for a fix.
NVD CVE-2026-14748Awesome-MCP-Server GitHub
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →