CVE-2026-7221
Published: 28 April 2026
Summary
CVE-2026-7221 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SSRF by requiring validation of the manipulated req.body.url input to ensure only safe URLs are processed by the openUrl function.
Enforces information flow control policies that restrict server-side requests to authorized destinations, preventing forged requests to internal resources.
Requires timely remediation of the specific flaw in CloudBase-MCP by upgrading to version 2.17.1, as identified in the patch commit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in unauthenticated public-facing web API endpoint directly enables exploitation of public-facing application for initial access and internal resource access.
NVD Description
A vulnerability was found in TencentCloudBase CloudBase-MCP up to 2.17.0. Affected is the function openUrl of the file mcp/src/interactive-server.ts of the component open-url API Endpoint. The manipulation of the argument req.body.url results in server-side request forgery. It is possible to…
more
launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 2.17.1 is able to address this issue. The patch is identified as 3f678a1e7bd400cd76469d61024097d4920dc6b5. It is recommended to upgrade the affected component.
Deeper analysisAI
CVE-2026-7221 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting TencentCloudBase CloudBase-MCP versions up to 2.17.0. The issue resides in the openUrl function within the file mcp/src/interactive-server.ts of the open-url API endpoint, where the req.body.url argument can be manipulated to forge requests from the server. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
Remote, unauthenticated attackers can exploit this vulnerability by sending crafted requests to the affected endpoint, tricking the server into making unintended requests on their behalf. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, such as accessing internal network resources or services not directly exposed to the internet. A public exploit is available, increasing the risk of widespread abuse.
Mitigation is addressed in CloudBase-MCP version 2.17.1 via commit 3f678a1e7bd400cd76469d61024097d4920dc6b5, as detailed in the project's GitHub repository, issue #509, pull request #510, and release notes. Security practitioners should prioritize upgrading the affected component to the patched version.
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp, mcp