CVE-2026-7221

April 29, 2026, 1 a.m.

5.5
Medium

Description

A vulnerability was found in TencentCloudBase CloudBase-MCP up to 2.17.0. Affected is the function openUrl of the file mcp/src/interactive-server.ts of the component open-url API Endpoint. The manipulation of the argument req.body.url results in server-side request forgery. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 2.17.1 is able to address this issue. The patch is identified as 3f678a1e7bd400cd76469d61024097d4920dc6b5. It is recommended to upgrade the affected component.

Product(s) Impacted

Vendor Product Versions
Tencentcloud
  • Cloudbase-mcp
  • <2.17.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a tencentcloud cloudbase-mcp <2.17.1 / / / / / / /

References

https://github.com/TencentCloudBase/CloudBase-MCP/
https://github.com/TencentCloudBase/CloudBase-MCP/commit/3f678a1e7bd400cd76469d61024097d4920dc6b5
https://github.com/TencentCloudBase/CloudBase-MCP/issues/509
https://github.com/TencentCloudBase/CloudBase-MCP/pull/510
https://github.com/TencentCloudBase/CloudBase-MCP/releases/tag/v2.17.1
https://vuldb.com/submit/802230
https://vuldb.com/vuln/359821
https://vuldb.com/vuln/359821/cti

Tags

[email protected]
CWE-918
2026-04-28
CVE-2026-7221

CVSS Score

5.5 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: LOW
  • Exploit Maturity: PROOF_OF_CONCEPT

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: April 28, 2026, 4:16 a.m.
Last Modified: April 29, 2026, 1 a.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.