The vulnerability CVE-2026-33060 affects ondata's ckan-mcp-server, a tool used to query CKAN open data portals. Versions before 0.4.85 allow unauthenticated attackers with limited privileges to exploit the base_url parameter in several tools (ckan_package_search, sparql_query, ckan_datastore_search_sql) to perform Server-Side Request Forgery (SSRF). The base_url parameter is used to specify the endpoint for HTTP requests, but it lacks any validation or filtering. This absence of validation permits attackers to direct requests to arbitrary internal or cloud metadata endpoints, including private IP ranges (RFC 1918), link-local addresses (169.254.x.x), and cloud provider metadata services such as the Instance Metadata Service (IMDS) at 169.254.169.254. By leveraging SSRF, attackers can scan internal networks, access sensitive metadata, and potentially retrieve IAM credentials, which could lead to privilege escalation or lateral movement within cloud environments. Additionally, the sparql_query and ckan_datastore_search_sql tools accept unsanitized query parameters, exposing injection vectors for SQL or SPARQL injection attacks, which could compromise data integrity or confidentiality. Exploitation requires the attacker to inject or control the base_url parameter, but no user interaction is necessary. The vulnerability has been assigned a CVSS v3.1 score of 5.3, reflecting medium severity due to the high confidentiality impact but requiring some privileges and having a higher attack complexity. The issue was publicly disclosed on March 20, 2026, and fixed in version 0.4.85. No known exploits have been reported in the wild at this time.

Organizations using vulnerable versions of ckan-mcp-server risk unauthorized internal network reconnaissance and exposure of sensitive cloud metadata, including IAM credentials. This can lead to unauthorized access to cloud resources, data exfiltration, and potential lateral movement within internal networks or cloud environments. The SSRF vulnerability undermines confidentiality by exposing internal services and credentials, while the injection vulnerabilities could compromise data integrity or lead to further exploitation. The medium severity rating reflects that exploitation requires some privileges and careful injection but can have significant consequences if successful. Public sector organizations, research institutions, and enterprises relying on CKAN open data portals for data sharing and analysis are particularly at risk. The lack of URL validation and private IP blocking means attackers can pivot from the exposed server to internal infrastructure, increasing the attack surface. Although no active exploits are known, the vulnerability's presence in open data tools used globally means widespread potential impact if exploited.

Upgrade ckan-mcp-server to version 0.4.85 or later, where the vulnerability is fixed. If immediate upgrade is not possible, implement strict network-level controls to restrict outbound HTTP requests from the ckan-mcp-server host, blocking access to private IP ranges (RFC 1918), link-local addresses (169.254.x.x), and cloud metadata IPs (169.254.169.254). Apply input validation and sanitization on the base_url parameter to allow only trusted, whitelisted URLs. Employ web application firewalls (WAFs) with rules to detect and block SSRF patterns and injection attempts targeting the affected endpoints. Monitor logs for unusual outbound requests or query parameter anomalies indicative of SSRF or injection attempts. Conduct regular security assessments and penetration tests focusing on SSRF and injection vulnerabilities in data query tools. Educate developers and administrators about the risks of SSRF and the importance of validating user-controlled URLs and query inputs. Consider network segmentation to isolate the ckan-mcp-server from sensitive internal services and metadata endpoints.