CVE-2026-5607: SSRF in mcp-browser-agent < 0.8.0
Platform
nodejs
Component
mcp-browser-agent
CVE-2026-5607 represents a server-side request forgery (SSRF) vulnerability discovered in the imprvhub mcp-browser-agent component, specifically within the URL Parameter Handler function CallToolRequestSchema. Successful exploitation allows attackers to manipulate the application into making requests to unintended internal or external resources, potentially leading to data exposure or unauthorized access. This vulnerability affects versions 0.1.0 up to and including 0.8.0, and a fix is currently unavailable.
How to fix
Actualice a una versión corregida de imprvhub mcp-browser-agent. La vulnerabilidad se encuentra en el manejo de parámetros de URL, específicamente en la función CallToolRequestSchema. Revise y fortalezca la validación de entrada para prevenir ataques de falsificación de solicitud del lado del servidor (SSRF).
Frequently asked questions
What is CVE-2026-5607?
CVE-2026-5607 is a server-side request forgery (SSRF) vulnerability affecting the imprvhub mcp-browser-agent component. It allows attackers to manipulate URL parameters to make the server send requests to arbitrary locations, potentially exposing sensitive data or internal systems.
Am I affected by CVE-2026-5607?
You are potentially affected if you are using imprvhub mcp-browser-agent versions 0.1.0 through 0.8.0. It's crucial to assess your environment and take mitigating actions if you are using a vulnerable version.
How can I fix or mitigate CVE-2026-5607?
Currently, no official patch is available for CVE-2026-5607. Mitigation strategies include restricting outbound network access, validating and sanitizing user-supplied input, and implementing strict URL whitelisting to prevent unauthorized requests.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free