top of page
perceptive_background_267k.jpg

A vulnerability was found in TencentCloudBase CloudBase-MCP up to 2.17.0. Affected is the function openUrl of the file mcp/src/interactive-server.ts of the comp…

Published:

27 April 2026 at 22:00:00

Alert date:

28 April 2026 at 21:20:20

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Cloud & Virtualization

A server-side request forgery vulnerability (CVE-2026-7221) was discovered in TencentCloudBase CloudBase-MCP versions up to 2.17.0. The vulnerability affects the openUrl function in the open-url API endpoint, where manipulation of the req.body.url parameter allows for SSRF attacks. The vulnerability can be exploited remotely and the exploit has been made public. The issue is fixed in version 2.17.1 with patch 3f678a1e7bd400cd76469d61024097d4920dc6b5. Users are recommended to upgrade immediately to the patched version.

Technical details

Mitigation steps:

Affected products:

TencentCloudBase CloudBase-MCP

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-7221
https://github.com/TencentCloudBase/CloudBase-MCP/
https://github.com/TencentCloudBase/CloudBase-MCP/commit/3f678a1e7bd400cd76469d61024097d4920dc6b5
https://github.com/TencentCloudBase/CloudBase-MCP/issues/509
https://github.com/TencentCloudBase/CloudBase-MCP/pull/510
https://github.com/TencentCloudBase/CloudBase-MCP/releases/tag/v2.17.1
https://vuldb.com/submit/802230
https://vuldb.com/vuln/359821
https://vuldb.com/vuln/359821/cti

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page