Perceptive Security
SOC/SIEM Consultancy
A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of…
Published:
26 April 2026 at 22:00:00
Alert date:
27 April 2026 at 20:01:57
Source:
nvd.nist.gov
Web Technologies, Enterprise Applications
A server-side request forgery (SSRF) vulnerability has been identified in JoeCastrom mcp-chat-studio versions up to 1.5.0. The vulnerability exists in the LLM Models API component, specifically in the server/routes/llm.js file. Attackers can exploit this by manipulating the req.query.base_url argument to perform SSRF attacks. The vulnerability can be exploited remotely and a public exploit is now available. The project maintainers were notified through an issue report but have not responded to the disclosure.
Technical details
Mitigation steps:
Affected products:
JoeCastrom mcp-chat-studio
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-7147
https://github.com/JoeCastrom/mcp-chat-studio/
https://github.com/JoeCastrom/mcp-chat-studio/issues/4
https://vuldb.com/submit/801896
https://vuldb.com/vuln/359746
https://vuldb.com/vuln/359746/cti
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.