CVE-2026-10280: Server-Side Request Forgery in Horizon921 mcpilot 0.1.0
Horizon921's mcpilot version 0.1.0 contains a server-side request forgery (SSRF) vulnerability in its MCP API Call Endpoint. An attacker can manipulate the serverBaseUrl parameter to trick the application into making requests to arbitrary internal or external systems. Because this requires no authentication and can be exploited over the network, it represents a meaningful attack surface for anyone running this software. The flaw has already been disclosed publicly and exploit code is available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in horizon921 mcpilot 0.1.0. The impacted element is an unknown function of the file client/src/app/api/mcp/call/route.ts of the component MCP API Call Endpoint. The manipulation of the argument serverBaseUrl results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the MCP API Call Endpoint (client/src/app/api/mcp/call/route.ts) where insufficient input validation on the serverBaseUrl argument permits server-side request forgery. An unauthenticated remote attacker can supply a malicious serverBaseUrl value that causes the application server to initiate requests on their behalf, potentially targeting internal services, cloud metadata endpoints, or other systems. The attack vector is network-based with low complexity and no user interaction required, making it easily exploitable by a remote adversary. CWE-918 (Server-Side Request Forgery) applies directly.
Business impact
Organizations deploying mcpilot 0.1.0 face exposure of internal service enumeration, potential data exfiltration through cloud metadata endpoints (if deployed in containerized or cloud environments), and lateral movement opportunities to backend systems. The combination of network accessibility, public exploit availability, and ease of exploitation creates operational risk. Any integrations or downstream systems the mcpilot instance can reach become potential targets. Development teams should prioritize remediation to prevent reconnaissance and unauthorized internal access.
Affected systems
Horizon921 mcpilot version 0.1.0 is affected. The vulnerability resides in the MCP API Call Endpoint component. Any deployment of this specific version is potentially at risk if the endpoint is accessible from untrusted networks.
Exploitability
This vulnerability is highly exploitable. The attack requires no authentication, no user interaction, and low technical complexity. An attacker need only craft a malicious HTTP request with a crafted serverBaseUrl parameter. Public exploit code has already been released, lowering the barrier to weaponization. Active exploitation is a realistic near-term risk.
Remediation
Immediately discontinue use of mcpilot 0.1.0. Contact Horizon921 for patched releases or interim guidance; as of the vulnerability publication date, the project had not yet responded to notifications. Implement network segmentation to restrict the mcpilot instance's outbound connectivity to only necessary endpoints. Apply strict input validation and allowlisting for any URL parameters in future deployments. If an upgrade is available, deploy it after testing.
Patch guidance
Check Horizon921's official advisories and release channels for patched versions of mcpilot. Given the public disclosure and available exploits, patching should be treated as urgent. Verify the patch against the vendor's signed release notes before deployment. If no patch has been released by the vendor, consider isolating or decommissioning affected instances until remediation is available.
Detection guidance
Monitor web server access logs and API gateway logs for requests to the /api/mcp/call endpoint containing suspicious or internal-looking serverBaseUrl values. Watch for outbound HTTP/HTTPS connections from the mcpilot instance to unexpected internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or cloud metadata services (169.254.169.254, equivalent Azure endpoints). Network intrusion detection systems should flag outbound requests from the application tier to infrastructure services or databases.
Why prioritize this
Despite a CVSS score of 7.3 (HIGH), the prioritization case is compelling: (1) a public exploit exists, significantly shortening attack timeline; (2) the vulnerability is trivial to exploit—no credentials, no complex payload construction; (3) it opens pathways to internal systems and sensitive metadata; (4) the vendor had not yet responded at publication. Any organization running 0.1.0 should treat this as urgent.
Risk score, explained
CVSS 3.1 base score 7.3 (HIGH) reflects high attack vector (network, unauthenticated, no user interaction) combined with confidentiality, integrity, and availability impacts. The score does not account for public exploit availability or vendor unresponsiveness, which in practice elevate operational risk beyond the base metric.
Frequently asked questions
Should we assume the vendor will provide a patch?
As of the publication date, Horizon921 had been notified but had not yet responded. Do not wait passively—contact the vendor directly, monitor their repository for updates, and prepare contingency plans such as network isolation or decommissioning if no patch materializes within a defined timeframe.
What systems should we scan for exposure to this endpoint?
Identify all systems running mcpilot 0.1.0 in your environment. Check network inventory tools, container registries, and deployment manifests. Verify network exposure: can untrusted sources reach the /api/mcp/call endpoint? Use your asset management database to prioritize patching for internet-facing or high-value instances.
Can this vulnerability be exploited from the internet, or only from internal networks?
The attack vector is network-based with no authentication required, meaning exploitation is possible from the internet if the endpoint is exposed. Even if the instance is not directly internet-facing, an internal attacker with network access can exploit it. Network segmentation is a temporary mitigation but not a substitute for patching.
What should we log and monitor to detect exploitation?
Monitor API logs for requests to /api/mcp/call with non-standard or internal serverBaseUrl values. Watch for unusual outbound HTTP/HTTPS traffic from the mcpilot process, especially to private IP ranges or cloud metadata endpoints. Implement alerting for failed connection attempts to internal services from the mcpilot instance.
This analysis is based on vulnerability data published as of June 2026. Patch availability, vendor response status, and KEV listing may change; consult official Horizon921 advisories and your vendor contacts for the latest remediation status. This document does not constitute legal or compliance advice. Organizations must evaluate business risk and regulatory obligations independently. No exploit code or weaponized proof-of-concept is provided or endorsed. Use only in authorized security testing and remediation environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10068HIGHSSRF in Shibby Tomato 1.28 miniupnpd (Unmaintained)
- CVE-2026-10107HIGHMoviePilot v2 SSRF in Image Proxy Allows Internal Network Access
- CVE-2026-10287HIGHSSRF in SourceCodester SEO Meta Tag Extractor 1.0
- CVE-2026-10771HIGHCRMEB Java SSRF Vulnerability in QR Code Endpoint
- CVE-2026-42398HIGHKibana Webhook SSRF Vulnerability—Egress Allowlist Bypass
- CVE-2026-42965HIGHOpenShift Router SSRF via FQDN EndpointSlice
- CVE-2026-44285HIGHFastGPT SSRF Vulnerability in Dataset Preview Endpoint
- CVE-2026-10052MEDIUMQuay SSRF in LDAP/SMTP Validation—Internal Network Reconnaissance Risk