CVE-2026-42260
Aas-ee · open-webSearch
A Server-Side Request Forgery (SSRF) vulnerability exists in the open-webSearch MCP server, allowing unauthenticated attackers to perform unauthorized requests.
Executive summary
A critical SSRF vulnerability in open-webSearch allows unauthenticated attackers to perform unauthorized requests, potentially leading to information disclosure.
Vulnerability
This is a Server-Side Request Forgery (CWE-918) vulnerability occurring in the open-webSearch component. The vulnerability is exploitable by unauthenticated remote attackers (AV:N/AC:L/PR:N/UI:N).
Business impact
Successful exploitation of this SSRF vulnerability allows an attacker to force the server to make unintended requests to internal or external resources. This can result in unauthorized access to internal network services, sensitive configuration data exposure, or the bypassing of firewall restrictions, warranting the 8.2 CVSS score.
Remediation
Immediate Action: Update the open-webSearch package to version 2.1.7 or later via your package manager.
Proactive Monitoring: Monitor server logs for unusual outbound connection attempts to internal IP addresses or sensitive domains.
Compensating Controls: Implement strict egress filtering on the server hosting the MCP daemon to prevent unauthorized requests to internal resources.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the availability of a proof-of-concept and the potential for network-level compromise, administrators should prioritize updating open-webSearch to version 2.1.7 immediately. Failure to patch may expose internal network segments to unauthorized reconnaissance and interaction.