CVE-2026-7158: dmitryglhf mcp-url-downloader SSRF Vulnerability
The National Vulnerability Database has disclosed CVE-2026-7158, a high-severity Server-Side Request Forgery (SSRF) vulnerability in dmitryglhf’s mcp-url-downloader up to commit 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. The flaw, identified in the _validate_url_safe function within src/mcp_url_downloader/server.py, allows remote attackers to manipulate the url argument to force the server into making unintended requests.
This is a critical flaw with a CVSS score of 7.3 (HIGH) and a vector indicating network-based exploitation requiring no privileges or user interaction. The National Vulnerability Database confirms the exploit has been publicly disclosed, meaning it’s likely already weaponized or being actively explored by adversaries. The project maintainers were informed via an issue report but have yet to respond, leaving users exposed.
SSRF vulnerabilities are gold for attackers, enabling them to scan internal networks, access sensitive internal resources, and bypass firewall rules. Given the public disclosure and lack of a patch, any organization using this component is at immediate risk. Defenders must assume this vulnerability is being probed right now.
What This Means For You
- If your organization uses dmitryglhf's `mcp-url-downloader`, you need to assess your exposure immediately. This SSRF flaw allows attackers to pivot from your internet-facing assets into your internal network. Without a patch, the only viable mitigation is to remove or isolate this component entirely until a fix is available.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7158: dmitryglhf mcp-url-downloader SSRF via _validate_url_safe
title: CVE-2026-7158: dmitryglhf mcp-url-downloader SSRF via _validate_url_safe
id: scw-2026-04-27-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-7158 by targeting the _validate_url_safe function in dmitryglhf mcp-url-downloader. This rule looks for requests to the vulnerable Python script containing the 'url=' parameter, which is indicative of an SSRF attack.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7158/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/src/mcp_url_downloader/server.py'
cs-uri-query|contains:
- 'url='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7158 | SSRF | dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6 |
| CVE-2026-7158 | SSRF | Vulnerable function: _validate_url_safe in src/mcp_url_downloader/server.py |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7178: ChatGPTNextWeb NextChat SSRF Vulnerability
CVE-2026-7178 — A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component...
ChatGPTNextWeb NextChat SSRF Vulnerability (CVE-2026-7177) Exposed
CVE-2026-7177 — A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file...
Tenda HG3 Router Command Injection (CVE-2026-7160) Exposes Networks
CVE-2026-7160 — A vulnerability was determined in Tenda HG3 2.0. This vulnerability affects the function formTracert of the file /boaform/formTracert. Executing a manipulation of the...