CVE-2026-10274: Server-Side Request Forgery in indrasishbanerjee aem-mcp-server
A vulnerability was determined in indrasishbanerjee aem-mcp-server up to b5f833aef9b5dfd17a5991b3b18a8a11edbdc583. This impacts the function getAssetMetadata of the file src/mcp-server.ts of the component Axios Request Flow. Executing a manipulation of the argument assetPath can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
AI Analysis
Technical Summary
This vulnerability exists in the aem-mcp-server project by indrasishbanerjee, specifically in the getAssetMetadata function of the src/mcp-server.ts file. By manipulating the assetPath argument, an attacker can perform server-side request forgery (SSRF), potentially causing the server to make unintended HTTP requests. The vulnerability is remotely exploitable and has been publicly disclosed. The project does not use versioning, making it difficult to identify affected or unaffected releases. The vendor has not yet provided a response or fix for this issue.
Potential Impact
Successful exploitation of this SSRF vulnerability could allow an attacker to make arbitrary HTTP requests from the vulnerable server, potentially accessing internal resources or services not otherwise exposed. The CVSS score of 5.3 indicates a medium impact level. There is no evidence of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded and no official fix is available, users should monitor for updates from the project. Until a fix is provided, consider restricting network access from the affected server to sensitive internal resources as a temporary mitigation.
CVE-2026-10274: Server-Side Request Forgery in indrasishbanerjee aem-mcp-server
Description
A vulnerability was determined in indrasishbanerjee aem-mcp-server up to b5f833aef9b5dfd17a5991b3b18a8a11edbdc583. This impacts the function getAssetMetadata of the file src/mcp-server.ts of the component Axios Request Flow. Executing a manipulation of the argument assetPath can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
CVSS v4.0
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability exists in the aem-mcp-server project by indrasishbanerjee, specifically in the getAssetMetadata function of the src/mcp-server.ts file. By manipulating the assetPath argument, an attacker can perform server-side request forgery (SSRF), potentially causing the server to make unintended HTTP requests. The vulnerability is remotely exploitable and has been publicly disclosed. The project does not use versioning, making it difficult to identify affected or unaffected releases. The vendor has not yet provided a response or fix for this issue.
Potential Impact
Successful exploitation of this SSRF vulnerability could allow an attacker to make arbitrary HTTP requests from the vulnerable server, potentially accessing internal resources or services not otherwise exposed. The CVSS score of 5.3 indicates a medium impact level. There is no evidence of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded and no official fix is available, users should monitor for updates from the project. Until a fix is provided, consider restricting network access from the affected server to sensitive internal resources as a temporary mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-31T14:23:07.678Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1dbb9de29bf47b501c5693
Added to database: 6/1/2026, 5:04:29 PM
Last enriched: 6/1/2026, 5:34:11 PM
Last updated: 6/2/2026, 4:59:10 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.