CVE-2026-7147: JoeCastrom mcp-chat-studio SSRF Vulnerability Publicly Exploitable

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-918
CVE-2026-7147: JoeCastrom mcp-chat-studio SSRF Vulnerability Publicly Exploitable

A critical server-side request forgery (SSRF) vulnerability, identified as CVE-2026-7147, has been discovered in JoeCastrom mcp-chat-studio up to version 1.5.0. According to the National Vulnerability Database, this flaw resides within the LLM Models API component, specifically affecting the server/routes/llm.js file. Manipulation of the req.query.base_url argument allows for remote exploitation, enabling attackers to force the server to make requests to arbitrary domains.

The National Vulnerability Database highlights that the exploit for this vulnerability is now publicly available, significantly increasing the risk of widespread attacks. Despite early notification through an issue report, the project maintainers have not yet responded or provided a patch. With a CVSS score of 7.3 (HIGH), this issue represents a serious threat, potentially leading to information disclosure, port scanning of internal networks, or even access to internal services.

Attackers will leverage the public exploit to pivot into internal infrastructure, bypassing perimeter defenses. Defenders should assume active exploitation is imminent, especially given the lack of a vendor response. The attacker’s calculus here is simple: unpatched, exposed systems are low-hanging fruit for initial access and reconnaissance.

What This Means For You

  • If your organization uses JoeCastrom mcp-chat-studio, you are exposed. This is a high-severity SSRF with a public exploit. Immediately assess your exposure and consider isolating or removing any instances of mcp-chat-studio until a patch is available. Audit network logs for suspicious outbound connections from systems running this software, as attackers can use SSRF to scan internal networks or access metadata services.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1571 Non-Standard Port Command and Control T1901.001 Server-Side Request Forgery Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7147: mcp-chat-studio LLM API SSRF via base_url parameter

Sigma YAML — free preview 
title: CVE-2026-7147: mcp-chat-studio LLM API SSRF via base_url parameter
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7147 by identifying requests to the '/llm.js' endpoint with a 'base_url' query parameter, indicative of a Server-Side Request Forgery (SSRF) vulnerability in JoeCastrom mcp-chat-studio.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7147/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/llm.js'
      cs-uri-query|contains:
          - 'base_url='
      cs-method|exact:
          - 'GET'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7147 SSRF JoeCastrom mcp-chat-studio up to 1.5.0
CVE-2026-7147 SSRF server/routes/llm.js in LLM Models API component
CVE-2026-7147 SSRF Manipulation of argument req.query.base_url

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7191: qnabot-on-aws Admin RCE via Prototype Manipulation

CVE-2026-7191 — Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-7158: dmitryglhf mcp-url-downloader SSRF Vulnerability

CVE-2026-7158 — A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py....

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-7157: Aider-MCP-Server Command Injection Vulnerability

CVE-2026-7157 — A flaw has been found in disler aider-mcp-server up to b2516fa466d0d851932da92ee6d0e66946db9efc. Affected by this vulnerability is an unknown functionality of the file src/aider_mcp_server/server.py...

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 2 Sigma