MEDIUM 6.3

CVE-2026-10662: Server-Side Request Forgery in ahujasid blender-mcp ZIP Handler

A server-side request forgery (SSRF) vulnerability exists in ahujasid blender-mcp, a tool that handles ZIP file operations. An authenticated attacker can manipulate the ZIP file URL parameter to force the server to make HTTP requests to arbitrary internal or external systems. This could allow an attacker to access sensitive internal services, exfiltrate data, or pivot deeper into a network. The vulnerability affects versions up to commit 7636d13, and a patch is available.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-918
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The affected element is the function requests.get of the file src/blender_mcp/server.py of the component ZIP File Handler. The manipulation of the argument zip_file_url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The patch is identified as 5b37be25242e73dc4cf1328974d30458b9e5d67e. It is advisable to implement a patch to correct this issue.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the requests.get function within src/blender_mcp/server.py's ZIP File Handler component. The zip_file_url parameter is not properly validated before being passed to HTTP requests, enabling server-side request forgery. An authenticated user can supply a malicious URL—such as internal IP addresses, cloud metadata endpoints, or localhost services—causing the vulnerable server to make unintended outbound requests. The CVSS 3.1 score of 6.3 (MEDIUM, AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects network accessibility, low attack complexity, and the need for prior authentication, with limited confidentiality, integrity, and availability impact.

Business impact

Organizations using blender-mcp in production environments face risk of unauthorized access to internal systems and data leakage. An attacker with valid credentials could abuse the SSRF to scan internal networks, reach cloud metadata services (e.g., AWS EC2 instance metadata), or interact with backend services not directly exposed to the internet. This can lead to credential disclosure, lateral movement, or disruption of dependent services. The impact is particularly acute in architectures where blender-mcp has access to sensitive internal infrastructure.

Affected systems

ahujasid blender-mcp versions up to commit 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b are affected. The project uses a rolling release model, so specific semantic version numbers are not available. Organizations should verify their deployed commit hash against the advisory. The vulnerability requires authentication to exploit, limiting exposure to users or integrated systems with valid credentials.

Exploitability

The exploit has been made public, increasing the practical risk of weaponization. Exploitation requires prior authentication (PR:L in the CVSS vector), meaning internal users, service accounts, or compromised credentials are the primary attack vector. No special user interaction is needed; the attack can be triggered remotely by any authenticated actor with access to the ZIP file upload or URL parameter functionality. The low attack complexity makes this straightforward to exploit once authentication is obtained.

Remediation

Apply the patch identified as commit 5b37be25242e73dc4cf1328974d30458b9e5d67e or later. The patch should implement proper URL validation and potentially restrict the protocol schemes allowed (e.g., enforce HTTPS and block internal IP ranges). Organizations using a rolling release should update to the latest commit and verify the fix is included. Until patching is complete, restrict access to the ZIP file handling functionality to trusted users only.

Patch guidance

Update blender-mcp to a commit that includes patch 5b37be25242e73dc4cf1328974d30458b9e5d67e or later. Since the project uses rolling releases, verify the commit hash in your deployment against the patch hash provided. Test the patched version in a non-production environment to confirm functionality before deploying to production. Monitor vendor communications for any additional security updates, as rolling releases may include further hardening.

Detection guidance

Look for unusual HTTP requests originating from blender-mcp processes, particularly to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost, or cloud metadata endpoints. Monitor access logs for requests to the ZIP file handler endpoint with suspicious zip_file_url parameter values. Implement network segmentation to limit outbound connectivity from the blender-mcp service to only necessary external hosts. Use web application firewalls or proxy rules to block requests to internal IP ranges from this service.

Why prioritize this

Although scored as MEDIUM severity, the public exploit status, network accessibility, and low attack complexity warrant prioritization. The vulnerability is in a data-handling component frequently exposed to user input. Organizations with blender-mcp accessible to multiple users or integrated into automated workflows should prioritize patching. Authentication requirement provides some mitigation, but credential compromise or insider threats lower the practical barrier to exploitation.

Risk score, explained

CVSS 3.1 score of 6.3 reflects a MEDIUM severity vulnerability. Network-accessible attack vector (AV:N) and low attack complexity (AC:L) increase risk. The requirement for prior authentication (PR:L) moderates the score, as does the limited scope (SU). Confidentiality, integrity, and availability impacts are each low (L), indicating partial compromise rather than complete system compromise. The public exploit availability further elevates real-world risk beyond the base score.

Frequently asked questions

Does this vulnerability require the attacker to be authenticated?

Yes. The CVSS vector PR:L indicates prior authentication is required. The attacker must be a valid user or system with credentials to access the blender-mcp service, though the authentication requirement can be bypassed if an attacker compromises legitimate credentials.

What versions of blender-mcp are affected?

Versions up to commit 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b are affected. Because blender-mcp uses a rolling release model, specific semantic version numbers (e.g., 1.2.3) are not available. Determine your deployed commit hash and compare it to the affected commit; apply patch 5b37be25242e73dc4cf1328974d30458b9e5d67e or later.

Is this vulnerability actively exploited in the wild?

The vulnerability description indicates the exploit has been made public, which increases the likelihood of active exploitation. Organizations should prioritize patching, particularly those with blender-mcp exposed to untrusted users or on network boundaries.

What can an attacker do with this SSRF vulnerability?

An attacker can force the vulnerable server to make HTTP requests to internal systems (databases, metadata services, private APIs) or external targets controlled by the attacker. This can enable credential theft, lateral network movement, data exfiltration, or reconnaissance of internal infrastructure. Impact depends on the network permissions and systems accessible from the blender-mcp server.

This analysis is based on publicly available information and the CVE record as of the publication date. Version and patch information should be verified against the official ahujasid blender-mcp repository and vendor advisories. Organizations should conduct their own risk assessment and testing before deploying patches. SEC.co does not guarantee the completeness or accuracy of third-party vulnerability data and recommends consulting official vendor sources for definitive guidance. No exploit code or weaponization steps are provided; this page is for defensive and situational awareness purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).