CVE-2026-5323 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in priyankark a11y-mcp up to version 1.0.5. This vulnerability affects the A11yServer function within the src/index.js file, allowing manipulation of URL parameters to trigger unauthorized server-side requests. While the attack vector requires local access, the exploit has been publicly disclosed and could be leveraged by attackers with local positioning.
The a11y-mcp project is a Model Context Protocol (MCP) server designed for accessibility testing, utilizing Puppeteer and Axe-core for web accessibility analysis. The SSRF vulnerability enables an attacker to craft malicious URL inputs that could cause the server to make requests to unintended internal or external resources.
Critical Impact
Local attackers can exploit SSRF to access internal network resources, potentially leading to data exfiltration, service enumeration, or abuse of cloud metadata endpoints.
Affected Products
- priyankark a11y-mcp versions up to 1.0.5
- Applications utilizing vulnerable a11y-mcp as a dependency
- Systems running a11y-mcp MCP server locally
Discovery Timeline
- April 2, 2026 - CVE-2026-5323 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5323
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery), a weakness where the application receives a URL or similar request from an upstream component and retrieves the contents without sufficiently ensuring that the request is being sent to the expected destination.
In the context of a11y-mcp, the A11yServer function in src/index.js processes URL inputs for accessibility testing without validating whether those URLs point to safe, external resources. This oversight allows attackers to supply malicious URLs targeting localhost, loopback addresses, internal network ranges, or cloud provider metadata services.
The vendor has acknowledged the issue while noting that a11y-mcp operates as a "local stdio MCP server" without HTTP endpoints or network accessibility. The caller is always the local user or an LLM acting on their behalf with user approval. However, the SSRF vector still poses risks when the server can be manipulated to access unintended resources from the local machine's network perspective.
Root Cause
The root cause stems from insufficient URL validation in the A11yServer function. The original implementation accepted user-supplied URLs without:
- Validating the URL scheme (allowing non-HTTP/HTTPS protocols)
- Checking for loopback or internal network addresses
- Performing DNS resolution validation to prevent DNS rebinding attacks
This lack of input sanitization allows attackers to bypass intended access restrictions and direct the Puppeteer browser instance to navigate to arbitrary locations.
Attack Vector
The attack requires local access to the system running a11y-mcp. An attacker can exploit this vulnerability by:
- Supplying a URL pointing to internal resources (e.g., http://127.0.0.1/admin, http://169.254.169.254/ for cloud metadata)
- Using alternative localhost representations (e.g., http://0.0.0.0/, http://[::1]/)
- Leveraging DNS rebinding techniques to bypass hostname checks
The following patch was applied to address this vulnerability by implementing comprehensive URL validation:
ListToolsRequestSchema,
McpError,
} from '@modelcontextprotocol/sdk/types.js';
+import { lookup } from 'node:dns/promises';
import puppeteer from 'puppeteer';
import { AxePuppeteer } from '@axe-core/puppeteer';
+/**
+ * Validate that a URL is safe to navigate to (SSRF protection).
+ * Only allows http/https schemes and blocks requests to internal networks.
+ */
+async function validateUrl(urlString) {
+ let parsed;
+ try {
+ parsed = new URL(urlString);
+ } catch {
+ throw new Error('Invalid URL format');
+ }
+
+ // Only allow http and https schemes
+ if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+ throw new Error(`Disallowed URL scheme: ${parsed.protocol}`);
+ }
+
+ const hostname = parsed.hostname;
+
+ // Block obvious localhost/loopback hostnames
+ const blockedHostnames = ['localhost', '127.0.0.1', '::1', '0.0.0.0', '[::1]'];
+ if (blockedHostnames.includes(hostname.toLowerCase())) {
+ throw new Error('URLs pointing to loopback addresses are not allowed');
Source: GitHub Commit Change
Detection Methods for CVE-2026-5323
Indicators of Compromise
- Unexpected outbound requests from the a11y-mcp process to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- Access attempts to cloud metadata endpoints (169.254.169.254)
- Unusual DNS resolution patterns from the application, particularly for internal hostnames
- Process logs showing navigation to localhost or loopback addresses
Detection Strategies
- Monitor network traffic from applications running a11y-mcp for requests to internal network ranges or metadata services
- Implement application-level logging to capture all URLs processed by the A11yServer function
- Deploy endpoint detection rules that alert on SSRF-typical access patterns from Node.js processes
- Review npm dependency trees to identify projects using vulnerable a11y-mcp versions (< 1.0.6)
Monitoring Recommendations
- Enable verbose logging for the a11y-mcp server to capture all URL navigation attempts
- Configure network monitoring to alert on RFC 1918 address access from the MCP server process
- Implement DNS query logging to detect potential DNS rebinding attempts
- Set up alerts for access to well-known metadata endpoints (AWS, GCP, Azure) from local applications
How to Mitigate CVE-2026-5323
Immediate Actions Required
- Upgrade a11y-mcp to version 1.0.6 or later immediately
- Audit applications using a11y-mcp to ensure they are not passing untrusted URL inputs
- Review logs for any historical SSRF exploitation attempts
- Implement network segmentation to limit the impact of SSRF from local services
Patch Information
The vulnerability has been resolved in a11y-mcp version 1.0.6. The fix introduces a validateUrl() function that performs comprehensive URL validation including:
- Protocol scheme validation (HTTP/HTTPS only)
- Blocklist checking for loopback addresses (localhost, 127.0.0.1, ::1, 0.0.0.0, [::1])
- DNS resolution validation using Node.js dns/promises module
The patch is identified by commit hash e3e11c9e8482bd06b82fd9fced67be4856f0dffc. For additional technical details, refer to the GitHub Commit Change and VulDB entry #354655.
Workarounds
- If immediate upgrade is not possible, implement URL validation at the application layer before passing URLs to a11y-mcp
- Restrict network access for the a11y-mcp process using firewall rules or network policies
- Run a11y-mcp in an isolated network environment with no access to internal resources
- Validate all URL inputs against an allowlist of permitted domains before processing
# Upgrade a11y-mcp to patched version
npm update a11y-mcp@1.0.6
# Verify installed version
npm list a11y-mcp
# Check for vulnerable versions in project dependencies
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
