CVE-2026-34476— Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server

EPSS 0.08% · P23 Updated Apr 18, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-34476

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server

Source: NVD (National Vulnerability Database)

Vulnerability Description

Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. This issue affects Apache SkyWalking MCP: 0.1.0. Users are recommended to upgrade to version 0.2.0, which fixes this issue.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

服务端请求伪造(SSRF)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Apache SkyWalking MCP 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Apache SkyWalking MCP是Apache基金会的一个面向分布式系统的可观测性数据管理与处理组件。 Apache SkyWalking MCP 0.1.0版本存在安全漏洞，该漏洞源于SW-URL标头存在服务端请求伪造。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Apache Software Foundation	Apache SkyWalking MCP	0.1.0	-

II. Public POCs for CVE-2026-34476

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-34476

请登录查看更多情报信息。

https://nvd.nist.gov/vuln/detail/CVE-2026-34476

Same Patch Batch · Apache Software Foundation · 2026-04-13 · 5 CVEs total

CVE-2026-33858		Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass
CVE-2025-66236		Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI
CVE-2026-35337		Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handli
CVE-2026-35565		Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in St

IV. Related Vulnerabilities

Same vendor: Apache Software Foundation

Same weakness: CWE-918

V. Comments for CVE-2026-34476

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-34476— Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server

I. Basic Information for CVE-2026-34476

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-34476

III. Intelligence Information for CVE-2026-34476

Same Patch Batch · Apache Software Foundation · 2026-04-13 · 5 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-34476

Leave a comment