CVE-2026-42260

Aas-ee · open-webSearch

A Server-Side Request Forgery (SSRF) vulnerability exists in the open-webSearch MCP server, allowing unauthenticated attackers to perform unauthorized requests.

Executive summary

A critical SSRF vulnerability in open-webSearch allows unauthenticated attackers to perform unauthorized requests, potentially leading to information disclosure.

Vulnerability

This is a Server-Side Request Forgery (CWE-918) vulnerability occurring in the open-webSearch component. The vulnerability is exploitable by unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N).

Business impact

Successful exploitation of this SSRF vulnerability allows an attacker to force the server to make unintended requests to internal or external resources. This can result in unauthorized access to internal network services, sensitive configuration data exposure, or the bypassing of firewall restrictions, warranting the 8.2 CVSS score.

Remediation

Immediate Action: Update the open-webSearch package to version 2.1.7 or later via your package manager.

Proactive Monitoring: Monitor server logs for unusual outbound connection attempts to internal IP addresses or sensitive domains.

Compensating Controls: Implement strict egress filtering on the server hosting the MCP daemon to prevent unauthorized requests to internal resources.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the availability of a proof-of-concept and the potential for network-level compromise, administrators should prioritize updating open-webSearch to version 2.1.7 immediately. Failure to patch may expose internal network segments to unauthorized reconnaissance and interaction.