CVE-2026-7147 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in JoeCastrom mcp-chat-studio versions up to 1.5.0. The vulnerability exists in the LLM Models API component, specifically within the server/routes/llm.js file. An attacker can manipulate the req.query.base_url parameter to perform unauthorized server-side requests, potentially accessing internal resources or conducting attacks against other systems.
Critical Impact
Remote attackers can exploit this SSRF vulnerability to make the vulnerable server send crafted requests to internal systems, potentially bypassing firewalls and accessing sensitive internal services.
Affected Products
- JoeCastrom mcp-chat-studio up to version 1.5.0
- Applications using the LLM Models API endpoint in server/routes/llm.js
- Deployments exposing the vulnerable API endpoint to untrusted networks
Discovery Timeline
- 2026-04-27 - CVE-2026-7147 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-7147
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The mcp-chat-studio application fails to properly validate or sanitize the base_url parameter in API requests to the LLM Models endpoint. When processing requests, the server directly uses the user-supplied base_url value to construct outbound HTTP requests without adequate validation.
The vulnerability allows remote attackers to abuse the server as a proxy to reach internal network resources, potentially accessing cloud metadata services (such as http://169.254.169.254/), internal APIs, or other services that would otherwise be protected by network segmentation. The exploit has been publicly disclosed, and the project maintainers have been notified through an issue report, though no response has been received as of the last update.
Root Cause
The root cause of this vulnerability is insufficient input validation on the req.query.base_url parameter in the server/routes/llm.js file. The application accepts arbitrary URL values from user input and uses them directly in server-side HTTP requests without:
- Validating the URL scheme (allowing file://, gopher://, etc.)
- Restricting requests to allowed domains or IP ranges
- Blocking access to internal/private IP address ranges
- Implementing proper URL parsing and sanitization
Attack Vector
The vulnerability is exploitable remotely over the network without authentication. An attacker can craft malicious HTTP requests to the LLM Models API endpoint, supplying a specially crafted base_url parameter that points to internal resources or external systems the attacker wishes to probe.
The attack flow involves sending a request to the vulnerable endpoint with a manipulated base_url parameter pointing to an internal service. The server then makes a request to the attacker-specified URL, and the response (or error information) may be returned to the attacker, potentially leaking sensitive data.
For detailed technical information about this vulnerability, refer to the VulDB vulnerability entry and the GitHub issue tracker.
Detection Methods for CVE-2026-7147
Indicators of Compromise
- Unusual outbound HTTP requests from the mcp-chat-studio server to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints such as 169.254.169.254
- Abnormal traffic patterns in API logs showing requests with suspicious base_url parameter values
- Outbound connections to unexpected ports or services from the application server
Detection Strategies
- Monitor and log all values passed to the base_url parameter in API requests
- Implement network-level monitoring for outbound requests from the application server to internal IP ranges
- Deploy Web Application Firewall (WAF) rules to detect and block SSRF patterns in query parameters
- Review application logs for requests containing internal IP addresses or localhost references in URL parameters
Monitoring Recommendations
- Enable detailed request logging for the /api/llm endpoint and related routes
- Set up alerts for outbound connections to RFC 1918 private IP address ranges from the application server
- Monitor for connection attempts to cloud provider metadata services
- Implement rate limiting on the vulnerable endpoint to slow potential enumeration attacks
How to Mitigate CVE-2026-7147
Immediate Actions Required
- Restrict network access to the mcp-chat-studio application to trusted sources only
- Implement firewall rules to block outbound requests from the application server to internal networks and metadata endpoints
- Consider disabling the vulnerable LLM Models API endpoint if not required for operations
- Deploy a Web Application Firewall (WAF) with SSRF protection rules
Patch Information
At the time of publication, no official patch has been released by the project maintainers. The project was informed of the vulnerability through an issue report on GitHub but has not yet responded. Users should monitor the project repository for updates and apply patches as soon as they become available.
Workarounds
- Implement URL validation at the application level to restrict base_url to an allowlist of approved domains
- Deploy network egress filtering to prevent the server from connecting to internal resources
- Use a reverse proxy to inspect and filter requests containing suspicious URL patterns before they reach the application
- Isolate the application in a network segment with restricted outbound access
# Example iptables rules to block outbound requests to internal networks
# Block requests to private IP ranges from the application server
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
