Platform
go
Component
github.com/apache/skywalking-mcp
Fixed in
0.1.1
0.2.0
CVE-2026-34476 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Apache SkyWalking MCP. This flaw allows attackers to induce the server to make requests to arbitrary URLs, potentially exposing sensitive internal resources or performing actions on behalf of the server. The vulnerability affects versions 0.1.0 of SkyWalking MCP, and a fix is available in version 0.2.0.
An attacker successfully exploiting this SSRF vulnerability could potentially gain access to internal services and data that are not directly exposed to the internet. This could include accessing internal APIs, reading configuration files, or even interacting with other internal systems. The scope of the impact depends heavily on the internal network architecture and the sensitivity of the resources accessible from the SkyWalking MCP server. While direct remote code execution is unlikely, the attacker could leverage the SSRF to perform reconnaissance and identify further attack vectors. The ability to make arbitrary requests also opens the door to potential denial-of-service attacks by targeting internal services.
This vulnerability was publicly disclosed on 2026-04-13. No known public proof-of-concept exploits are currently available. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog. Given the SSRF nature and the availability of a patch, the likelihood of exploitation is considered medium until a public exploit is released.
Exploit Status
EPSS
0.03% (9% percentile)
CVSS Vector
The primary mitigation for CVE-2026-34476 is to upgrade Apache SkyWalking MCP to version 0.2.0 or later, which includes the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to the SkyWalking MCP server to only necessary internal resources. Implement strict input validation and sanitization on any URLs used by the application to prevent attackers from injecting malicious URLs. Consider deploying a Web Application Firewall (WAF) with SSRF protection rules to filter out potentially malicious requests. Monitor network traffic for unusual outbound connections originating from the SkyWalking MCP server.
Upgrade to version 0.2.0 of Apache SkyWalking MCP to mitigate the Server-Side Request Forgery (SSRF) vulnerability caused by the SW-URL header. This update corrects the issue by validating and restricting requests made through the SW-URL header.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34476 is a Server-Side Request Forgery vulnerability in Apache SkyWalking MCP versions 0.1.0, allowing attackers to make arbitrary requests through the server.
Yes, if you are running Apache SkyWalking MCP version 0.1.0, you are affected by this vulnerability.
Upgrade Apache SkyWalking MCP to version 0.2.0 or later to resolve the SSRF vulnerability.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the Apache SkyWalking project website and security announcements for the official advisory regarding CVE-2026-34476.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.