CVE-2026-5323 identifies a server-side request forgery (SSRF) vulnerability in the priyankark a11y-mcp software, affecting all versions up to 1.0.5. The vulnerability resides in the A11yServer function within src/index.js, where improper input validation or sanitization allows an attacker to manipulate the server into making arbitrary requests. However, the attack surface is constrained because a11y-mcp operates as a local stdio MCP server without network-accessible HTTP endpoints, meaning exploitation requires local access or a local user context. The vulnerability does not require user interaction but does require low-level privileges (local access). The vendor has acknowledged the issue and released version 1.0.6 containing a patch (commit e3e11c9e8482bd06b82fd9fced67be4856f0dffc) that mitigates the SSRF risk. The continuous rolling release model of the product means no fixed versioning beyond 1.0.6 is available. The CVSS 4.0 vector (AV:L/AC:L/PR:L/UI:N/VC:L/VI:L/VA:L) reflects the local attack vector, low complexity, and limited impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild, reducing immediate risk but not eliminating it. The vulnerability is primarily a concern in environments where local users or processes could be malicious or compromised, potentially allowing lateral movement or unauthorized internal network access via SSRF.

The primary impact of CVE-2026-5323 is the potential for an attacker with local access to leverage the SSRF vulnerability to induce the a11y-mcp server to make unauthorized requests to internal or external resources. This could lead to unauthorized information disclosure, internal network reconnaissance, or interaction with services that are otherwise inaccessible. However, since the server is not network-exposed and requires local privileges, the risk of remote exploitation is minimal. The vulnerability could be leveraged in multi-user systems or environments where local user accounts are not fully trusted, potentially facilitating privilege escalation or lateral movement. The medium CVSS score reflects this limited but non-negligible risk. Organizations relying on a11y-mcp in sensitive or multi-tenant environments should consider the risk of local attackers exploiting this SSRF to access internal services or data. The absence of known exploits in the wild reduces immediate threat but does not preclude future exploitation attempts.

To mitigate CVE-2026-5323, organizations should upgrade the a11y-mcp component to version 1.0.6 or later, which contains the official patch addressing the SSRF vulnerability. Beyond upgrading, organizations should implement strict local user access controls and monitoring to limit the ability of untrusted users or processes to interact with the a11y-mcp server. Employing application whitelisting and process isolation can reduce the risk of local exploitation. Additionally, network segmentation and firewall rules should be used to restrict the a11y-mcp server's ability to make outbound requests to sensitive internal services. Auditing and logging local interactions with the a11y-mcp server can help detect suspicious activity indicative of SSRF exploitation attempts. Since the component is local-only, ensuring endpoint security and minimizing the number of privileged local users are critical complementary controls. Finally, reviewing and hardening any internal services that could be targeted via SSRF is recommended to reduce potential impact.