CVE-2026-10690: SSRF in DesktopCommanderMCP 0.2.37 – Patch & Mitigation Guide
A server-side request forgery (SSRF) vulnerability exists in DesktopCommanderMCP version 0.2.37. The flaw allows authenticated attackers to manipulate URL parameters passed to the read_file function, enabling the server to make arbitrary HTTP requests on behalf of the attacker. This could expose internal services, exfiltrate data, or compromise systems that trust the affected server.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component read_file. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The name of the patch is 53699bebba9950047bca16ac4dc8f0568f596aaa. It is best practice to apply a patch to resolve this issue.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10690 is an SSRF vulnerability (CWE-918) in the readFileFromUrl function within src/tools/filesystem.ts of DesktopCommanderMCP. The vulnerability stems from insufficient validation of the url argument, permitting attackers with valid authentication credentials to craft malicious requests that force the server to connect to arbitrary internal or external endpoints. The CVSS 3.1 score of 6.3 reflects low-to-moderate impact across confidentiality, integrity, and availability under authenticated attack conditions.
Business impact
Organizations using DesktopCommanderMCP 0.2.37 face potential lateral movement risk, internal reconnaissance, and data leakage. An authenticated attacker could probe internal networks, access metadata services (such as cloud provider credential endpoints), or trigger outbound connections to exfiltrate sensitive information. While authentication is required, compromised user accounts or insider threats amplify exposure.
Affected systems
DesktopCommanderMCP version 0.2.37 is confirmed vulnerable. Later versions should be evaluated against the patch commit (53699bebba9950047bca16ac4dc8f0568f596aaa) to confirm remediation. Installations in environments with sensitive internal services or cloud deployments warrant priority review.
Exploitability
Exploitation requires valid authentication credentials to the affected system. A public exploit is available, lowering the technical barrier for attackers with access. The vector is network-based with low complexity, making remote exploitation straightforward once authentication is obtained.
Remediation
Apply the patch identified by commit 53699bebba9950047bca16ac4dc8f0568f596aaa. Verify the patched version is deployed and test functionality within the read_file component post-deployment. For interim mitigation, restrict network-level access to DesktopCommanderMCP and review authentication logs for suspicious activity.
Patch guidance
Obtain the patched release containing commit 53699bebba9950047bca16ac4dc8f0568f596aaa from the vendor repository. Verify the patch version number in your release notes against vendor advisory documentation before deployment. Test in a non-production environment to confirm the fix resolves the vulnerability without breaking integrations. Deploy to production during a maintenance window and monitor filesystem read operations for anomalies.
Detection guidance
Monitor logs for unusual readFileFromUrl calls with suspicious or internal IP addresses as url parameters (e.g., 127.0.0.1, 169.254.169.254, internal subnet ranges). Alert on requests deviating from normal file access patterns. Network IDS/IPS rules targeting SSRF payloads or cloud metadata service accesses may provide additional detection. Audit authentication logs for unusual session activity preceding suspicious read operations.
Why prioritize this
Although not listed on the CISA KEV catalog, this vulnerability combines authenticated remote exploitability with public exploit availability and direct impact on data confidentiality and system integrity. Organizations should prioritize patching within standard maintenance cycles, elevated if systems handle sensitive data or sit in network positions enabling access to cloud credential services.
Risk score, explained
The CVSS 6.3 MEDIUM score reflects the authentication requirement, which limits immediate blast radius. However, the combination of public exploit availability, network exploitability, and potential for lateral movement or data exfiltration justifies treating this as a moderate-to-high operational priority despite the intermediate severity rating.
Frequently asked questions
Does this vulnerability require authentication?
Yes. The vulnerability requires valid credentials to the DesktopCommanderMCP system. However, once an attacker has compromised a user account or obtained credentials through other means, they can immediately exploit the SSRF to probe internal networks or access services the server trusts.
Is this vulnerability actively exploited in the wild?
A public exploit is available, and the vulnerability was published in June 2026. While not currently tracked on the CISA KEV catalog, organizations should assume active exploitation risk, particularly if their DesktopCommanderMCP instances are exposed to the internet or untrusted networks.
Can this vulnerability lead to remote code execution?
The vulnerability is limited to server-side request forgery and does not directly enable code execution. However, it could be chained with other vulnerabilities or used to exfiltrate credentials or sensitive data that enable further attacks.
What's the difference between patching and network mitigation?
Patching eliminates the root cause by validating URL arguments properly. Network mitigation (firewalls, segmentation) reduces exposure but does not fix the flaw. Both are recommended—patch as primary remediation, and restrict access as complementary defense.
This analysis is based on publicly available vulnerability data as of June 2026. Patch version numbers and commit hashes reflect vendor advisory information; verify against official releases before deploying. CVSS scores and severity assessments follow NIST standards. SEC.co does not provide legal liability coverage for patch deployment decisions. Consult your vendor for environment-specific guidance and test patches in non-production settings before rollout. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10052MEDIUMQuay SSRF in LDAP/SMTP Validation—Internal Network Reconnaissance Risk
- CVE-2026-10177MEDIUMSSRF in Aider-AI Aider 0.86.3 AWS Metadata Endpoint
- CVE-2026-10239MEDIUMJeecgBoot Server-Side Request Forgery (SSRF) in Word Editing Module
- CVE-2026-10240MEDIUMJeecgBoot SSRF Vulnerability in /airag/airagModel/test Endpoint
- CVE-2026-10241MEDIUMJimuReport SSRF in File Download Function – Patch to 3.9.2
- CVE-2026-10274MEDIUMServer-Side Request Forgery in aem-mcp-server
- CVE-2026-10276MEDIUMJenkins-server-mcp SSRF Vulnerability (0.1.0)
- CVE-2026-10517MEDIUMClair SSRF Vulnerability – Unfiltered HTTP Requests Leak Metadata