CVE-2026-7146: AlejandroArciniegas mcp-data-vis Vulnerable to SSRF

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-918
CVE-2026-7146: AlejandroArciniegas mcp-data-vis Vulnerable to SSRF

The National Vulnerability Database has disclosed CVE-2026-7146, a high-severity server-side request forgery (SSRF) vulnerability affecting AlejandroArciniegas mcp-data-vis. Specifically, the vulnerability resides in the axios function within the src/servers/web-scraper/server.js file, part of the HTTP Request Handler component. This flaw allows remote attackers to manipulate HTTP requests, potentially leading to information disclosure, unauthorized access to internal systems, or even arbitrary code execution in some configurations.

The CVSS score of 7.3 (HIGH) underscores the critical nature of this vulnerability, with an attack vector of ‘Network’ and no required user interaction or privileges. The public disclosure of an exploit further elevates the risk, meaning attackers are likely already leveraging this. A significant challenge is that mcp-data-vis operates on a rolling release model, which means traditional versioning for affected and patched releases isn’t available. The project maintainers were notified but have yet to respond, leaving users in a precarious position.

This SSRF isn’t just about fetching internal resources; it’s a pivot point. Attackers can use it to map internal networks, bypass firewalls, and interact with services not directly exposed to the internet. The lack of a clear patch path, combined with public exploit availability, makes this a high-priority threat for any organization running this component. Defenders need to assume compromise if they haven’t implemented compensating controls.

What This Means For You

  • If your organization uses AlejandroArciniegas mcp-data-vis, you need to immediately assess your exposure. Given the rolling release model and lack of response from the maintainers, assume this component is vulnerable. Implement network segmentation and egress filtering to restrict outbound connections from any server running mcp-data-vis, limiting potential SSRF exploitation. Monitor logs for unusual outbound HTTP requests originating from these systems.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1571 Non-Standard Port Command and Control T1071.001 Web Protocol Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-7146: mcp-data-vis SSRF via axios in web-scraper

Sigma YAML — free preview 
title: CVE-2026-7146: mcp-data-vis SSRF via axios in web-scraper
id: scw-2026-04-27-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-7146 by targeting the '/api/scrape' endpoint with a POST request and a 'url=' parameter, indicative of a Server-Side Request Forgery (SSRF) vulnerability in AlejandroArciniegas mcp-data-vis.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7146/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/scrape'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'url='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7146 SSRF AlejandroArciniegas mcp-data-vis up to de5a51525a69822290eaee569a1ab447b490746d
CVE-2026-7146 SSRF Function axios in src/servers/web-scraper/server.js
CVE-2026-7146 SSRF Component HTTP Request Handler

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7153: Critical OS Command Injection in Totolink A8000RU Routers

CVE-2026-7153 — A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the...

vulnerabilityCVEcriticalhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 5 IOCs /⚙ 3 Sigma

Totolink A8000RU Critical Command Injection (CVE-2026-7152)

CVE-2026-7152 — A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI...

vulnerabilityCVEcriticalhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 4 IOCs /⚙ 2 Sigma

Tenda HG3 2.0 Router Vulnerability: Remote Stack Buffer Overflow

CVE-2026-7151 — A vulnerability was determined in Tenda HG3 2.0. Impacted is the function formUploadConfig of the file /boaform/formIPv6Routing. This manipulation of the argument destNet...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-121
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma