Plattform
go
Komponente
github.com/apache/skywalking-mcp
Behoben in
0.1.1
0.2.0
CVE-2026-34476 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Apache SkyWalking MCP. This flaw allows attackers to induce the server to make requests to arbitrary URLs, potentially exposing sensitive internal resources or performing actions on behalf of the server. The vulnerability affects versions 0.1.0 of SkyWalking MCP, and a fix is available in version 0.2.0.
The SSRF vulnerability in Apache SkyWalking MCP allows an attacker to craft malicious requests that the server will execute on behalf of the attacker. This can lead to several severe consequences. An attacker could potentially scan internal networks for open ports and services, access sensitive data stored within internal systems, or even interact with internal APIs without proper authentication. The blast radius extends to any internal resources accessible through the SkyWalking MCP server, potentially compromising the entire internal infrastructure. While no direct precedent exists for this specific vulnerability, SSRF vulnerabilities are often exploited to gain deeper access to systems and networks, similar to how Log4Shell was leveraged for lateral movement.
CVE-2026-34476 was publicly disclosed on 2026-04-13. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation. No public proof-of-concept exploits have been released at the time of writing, but the SSRF nature of the vulnerability makes it a likely target for exploitation.
Organizations deploying Apache SkyWalking MCP version 0.1.0, particularly those with sensitive internal services accessible from the SkyWalking server, are at risk. Shared hosting environments where SkyWalking MCP is deployed alongside other applications should also be considered vulnerable, as a compromised SkyWalking instance could potentially be used to attack other tenants.
• linux / server:
journalctl -u skywalking-mcp -g "SW-URL"• generic web:
curl -I <skywalking_mcp_url>/api/some/endpoint | grep -i 'sw-url:'disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-34476 is to upgrade Apache SkyWalking MCP to version 0.2.0 or later, which includes the fix for this SSRF vulnerability. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing temporary workarounds. These may include restricting outbound network access from the SkyWalking MCP server using a firewall or proxy, and carefully validating and sanitizing any URLs provided by users. Additionally, implement strict access controls to limit which users or applications can interact with the SkyWalking MCP server. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked or redirected.
Actualice a la versión 0.2.0 de Apache SkyWalking MCP para mitigar la vulnerabilidad de Server-Side Request Forgery (SSRF) causada por el encabezado SW-URL. Esta actualización corrige el problema al validar y restringir las solicitudes realizadas a través del encabezado SW-URL.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34476 is a Server-Side Request Forgery vulnerability in Apache SkyWalking MCP versions 0.1.0, allowing attackers to make arbitrary requests through the server.
Yes, if you are running Apache SkyWalking MCP version 0.1.0, you are affected by this vulnerability.
Upgrade Apache SkyWalking MCP to version 0.2.0 or later to resolve the SSRF vulnerability.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the Apache SkyWalking project website and security announcements for the official advisory regarding CVE-2026-34476.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.