CVE-2026-5832— atototo api-lab-mcp HTTP http-server.ts test_http_endpoint server-side request forgery
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-5832
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
atototo api-lab-mcp HTTP http-server.ts test_http_endpoint server-side request forgery
Source: NVD (National Vulnerability Database)
Vulnerability Description
A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyze_api_spec/generate_test_scenarios/test_http_endpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
API Lab MCP 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
API Lab MCP是YoungEun Lee个人开发者的一个AI驱动的API测试实验室,支持自然语言交互与自动文档生成。 API Lab MCP 0.2.1及之前版本存在代码问题漏洞,该漏洞源于组件HTTP Interface的文件src/mcp/http-server.ts中的函数analyze_api_spec/generate_test_scenarios/test_http_endpoint对参数source/url的错误操作导致服务端请求伪造,可能导致远程攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| atototo | api-lab-mcp | 0.2.0 | - |
II. Public POCs for CVE-2026-5832
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-5832
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same weakness: CWE-918
- CVE-2026-8193
Akaunting Invoice PDF Rendering dompdf.php server-side reque - CVE-2026-44313
LinkWarden: Server-Side Request Forgery (SSRF) in Link Creat - CVE-2026-42352
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processe - CVE-2026-42346
Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validatio - CVE-2026-42339
New API: SSRF Filter Bypass via 0.0.0.0
V. Comments for CVE-2026-5832
No comments yet