CVE-2026-7729 Overview
CVE-2026-7729 is a Server-Side Request Forgery (SSRF) vulnerability affecting pixelsock directus-mcp version 1.0.0. The flaw resides in the validateUrl function within index.ts of the MCP Interface component. An attacker who controls the fileUrl argument can coerce the server into issuing arbitrary HTTP requests on behalf of the application.
The issue is tracked under [CWE-918] and can be triggered remotely with low privileges. Public exploit details have been released, and a pull request to remediate the issue is awaiting acceptance from the maintainers.
Critical Impact
An authenticated remote attacker can manipulate the fileUrl parameter to perform SSRF, enabling internal network probing and unauthorized requests originating from the server.
Affected Products
- pixelsock directus-mcp 1.0.0
- MCP Interface component (index.ts, validateUrl function)
- Deployments exposing the Model Context Protocol (MCP) endpoint to untrusted clients
Discovery Timeline
- 2026-05-04 - CVE-2026-7729 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-7729
Vulnerability Analysis
The directus-mcp project implements a Model Context Protocol bridge to a Directus backend. The validateUrl routine in index.ts is intended to verify URLs supplied through the fileUrl parameter before the server fetches the referenced resource. The validation is insufficient, allowing attacker-controlled URLs to bypass the intended allowlist.
When the server processes a crafted fileUrl, it issues an outbound HTTP request to the attacker-specified destination. This permits requests to internal services, cloud metadata endpoints, and other resources reachable from the server's network position. The vulnerability is classified as Server-Side Request Forgery under [CWE-918].
Exploitation requires only network reachability to the MCP interface and a low-privilege account capable of submitting a fileUrl. Because the public exploit has been released and the fix has not yet been merged, exposed instances remain at risk.
Root Cause
The root cause is improper input validation inside validateUrl. The function fails to enforce a strict allowlist on hostnames, schemes, and resolved IP addresses. As a result, attackers can supply URLs pointing at internal address ranges (RFC 1918), loopback interfaces, link-local metadata services, or arbitrary external hosts that the validator should reject.
Attack Vector
An attacker submits a request to the MCP interface and sets the fileUrl argument to a target of their choosing. The server-side handler invokes validateUrl, accepts the malicious value, and performs a fetch against the supplied URL. Common abuse patterns include reaching http://169.254.169.254/ for cloud metadata theft, scanning internal HTTP services, and pivoting to non-HTTP services where the URL parser tolerates alternate schemes.
The vulnerability mechanism is described in prose because no verified exploit code is published in this advisory. Refer to the GitHub Issue Report and the proposed GitHub Pull Request for technical details.
Detection Methods for CVE-2026-7729
Indicators of Compromise
- Outbound HTTP requests from the directus-mcp host to internal RFC 1918 ranges, loopback addresses, or cloud metadata endpoints such as 169.254.169.254.
- MCP request logs containing fileUrl values that reference non-public hostnames, IP literals, or unexpected URL schemes.
- Spikes in fetches initiated by the MCP service to hosts outside the documented Directus asset domains.
Detection Strategies
- Inspect application logs for invocations of validateUrl and correlate them with the resolved destination of the subsequent fetch.
- Deploy egress filtering and alert on any traffic originating from the directus-mcp process to internal subnets or metadata services.
- Add Web Application Firewall (WAF) rules that flag fileUrl parameters containing IP literals, encoded characters, or non-HTTPS schemes.
Monitoring Recommendations
- Forward directus-mcp logs and host network telemetry to a centralized SIEM and retain at least 90 days of history for forensic review.
- Baseline normal outbound destinations for the MCP service and alert on deviations.
- Monitor the upstream repository for merge of the pending fix in GitHub Pull Request #14.
How to Mitigate CVE-2026-7729
Immediate Actions Required
- Restrict network egress from hosts running directus-mcp 1.0.0 to only the domains required for legitimate Directus operations.
- Place the MCP interface behind authentication and limit access to trusted internal clients.
- Block the MCP host from reaching cloud instance metadata services and internal management subnets.
Patch Information
No official release containing the fix is available at the time of publication. The proposed remediation is tracked in GitHub Pull Request #14 and awaits maintainer acceptance. Operators should monitor the pixelsock directus-mcp repository for an updated release and apply the fix once merged.
Workarounds
- Apply the patch from the pending pull request as a local fork until an official release is published.
- Implement an outbound proxy that enforces a strict allowlist of destination hostnames for the MCP service.
- Reject fileUrl values whose resolved IPs fall within private, loopback, link-local, or metadata ranges before passing them to the fetch routine.
# Example egress allowlist using iptables on the directus-mcp host
iptables -A OUTPUT -m owner --uid-owner directus-mcp -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner directus-mcp -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner directus-mcp -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner directus-mcp -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner directus-mcp -d 169.254.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
