CVE-2026-5832

HIGH 7.3

atototo api-lab-mcp HTTP http-server.ts test_http_endpoint server-side request forgery

CVSS Score

7.3

EPSS Score

0.0%

EPSS Percentile

14th

A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyze_api_spec/generate_test_scenarios/test_http_endpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CWE	CWE-918
Vendor	atototo
Product	api-lab-mcp
Published	Apr 9, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for atototo api-lab-mcp

Be the first to know when new high vulnerabilities affecting atototo api-lab-mcp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

atototo / api-lab-mcp

0.2.0 0.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/356288 vuldb.com: https://vuldb.com/vuln/356288/cti vuldb.com: https://vuldb.com/submit/789765 github.com: https://github.com/atototo/api-lab-mcp/issues/4 github.com: https://github.com/BruceJqs/public_exp/issues/6 github.com: https://github.com/atototo/api-lab-mcp/

Credits

🔍 BruceJin (VulDB User) VulDB CNA Team