CVE-2026-45366

MEDIUM 4.7

typescript-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

CVSS Score

4.7

EPSS Score

0.0%

EPSS Percentile

8th

typescript-utcp is a typescript implementation of UTCP. Prior to 1.1.2, the @utcp/http package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual() validates the discovery URL against an HTTPS / loopback allowlist, but callTool() reuses the resolved toolCallTemplate.url directly without revalidating, and the OpenApiConverter blindly trusts whatever servers[0].url an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. servers: [{ url: "http://127.0.0.1:9090" }] or servers: [{ url: "http://169.254.169.254" }]; the converter then produces tools whose URL points at internal services on the agent host. This vulnerability is fixed in 1.1.2.

CWE	CWE-918
Vendor	universal-tool-calling-protocol
Product	typescript-utcp
Published	May 28, 2026
Last Updated	May 29, 2026

Stay Ahead of the Next One

Get instant alerts for universal-tool-calling-protocol typescript-utcp

Be the first to know when new medium vulnerabilities affecting universal-tool-calling-protocol typescript-utcp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

universal-tool-calling-protocol / typescript-utcp

< 1.1.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/universal-tool-calling-protocol/typescript-utcp/security/advisories/GHSA-r8j5-8747-88cm