CVE-2026-7147

High

Published: 27 April 2026

Published

27 April 2026

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0005 16.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7147 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates the manipulated req.query.base_url argument in the LLM Models API to prevent SSRF by ensuring only authorized URLs are processed.

SC-7 Boundary Protection partial match

preventdetect

Monitors and controls outbound communications at system boundaries to block or detect unauthorized requests forged via the SSRF vulnerability.

AC-4 Information Flow Enforcement partial match

prevent

Enforces flow control policies restricting the server from initiating requests to arbitrary destinations based on the vulnerable base_url parameter.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SSRF vulnerability in a public-facing web application (LLM Models API endpoint) directly matches exploitation of public-facing applications over the network with no authentication required.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.base_url results in server-side request forgery.…

Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Deeper analysisAI

CVE-2026-7147 is a server-side request forgery (SSRF) vulnerability affecting JoeCastrom's mcp-chat-studio software up to version 1.5.0. The issue resides in an unknown functionality within the file server/routes/llm.js of the LLM Models API component, where manipulation of the req.query.base_url argument enables the forgery. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-918.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling attackers to forge requests from the server to arbitrary destinations.

Advisories from VulDB and the project's GitHub repository indicate the vulnerability was reported early via issue #4, but the maintainers have not responded or issued patches. No specific mitigations are detailed in the available references.

The exploit is public and may be used in the wild, with relevance to AI/ML contexts given the involvement of the LLM Models API in a chat studio application.