The vulnerability CVE-2026-33060 affects ondata's ckan-mcp-server, a tool used to query CKAN open data portals. Versions before 0.4.85 allow unauthenticated attackers with low privileges to exploit the base_url parameter in tools such as ckan_package_search, sparql_query, and ckan_datastore_search_sql. These parameters are used to make HTTP requests but lack any validation or filtering, enabling Server-Side Request Forgery (SSRF). This means attackers can coerce the server to send requests to arbitrary internal or external endpoints, including private IP ranges (RFC 1918), link-local addresses (169.254.x.x), and cloud metadata services (notably 169.254.169.254). Accessing the cloud metadata service can expose sensitive IAM credentials, which attackers can leverage for privilege escalation or lateral movement within cloud environments. Furthermore, the sparql_query and ckan_datastore_search_sql tools accept unsanitized query parameters, opening injection attack surfaces for SQL or SPARQL injection. Exploitation requires the attacker to inject the base_url parameter, but no user interaction is necessary. The vulnerability does not impact integrity or availability directly but compromises confidentiality significantly. The issue was addressed in version 0.4.85 by implementing proper URL validation and blocking access to private IP ranges and cloud metadata endpoints.

Organizations using vulnerable versions of ckan-mcp-server risk unauthorized internal network reconnaissance, which can reveal sensitive infrastructure details. The most critical impact is the potential theft of cloud instance metadata, including IAM credentials, which can lead to privilege escalation and further compromise of cloud resources. This can result in data breaches, unauthorized access to sensitive data, and disruption of cloud services. The SSRF vulnerability also increases the attack surface for chained attacks, such as leveraging stolen credentials to move laterally or escalate privileges. The SQL/SPARQL injection vectors further increase risk by enabling attackers to manipulate backend databases, potentially exposing or corrupting data. Since the vulnerability requires only low privileges and no user interaction, it can be exploited remotely and stealthily, increasing the likelihood of successful attacks. However, the medium CVSS score reflects that exploitation complexity is moderate due to the need to control the base_url parameter and some access restrictions.

1. Upgrade ckan-mcp-server to version 0.4.85 or later, where the vulnerability is fixed. 2. Implement strict input validation and sanitization on all parameters that accept URLs, especially base_url, to ensure only legitimate and expected endpoints are reachable. 3. Enforce network-level restrictions to block outbound requests from the ckan-mcp-server to private IP ranges (RFC 1918), link-local addresses, and cloud metadata IPs (169.254.169.254). 4. Use web application firewalls (WAFs) with rules to detect and block SSRF patterns and injection attempts targeting SPARQL or SQL queries. 5. Monitor logs for unusual outbound requests from the server to internal or cloud metadata endpoints. 6. Employ the principle of least privilege for the ckan-mcp-server service account, limiting its network access and permissions. 7. Conduct regular security assessments and penetration tests focusing on SSRF and injection vulnerabilities in data portal tools. 8. Educate developers and administrators about SSRF risks and secure coding practices for handling external URLs and query parameters.