al-ice.ai

DesktopCommanderMCP SSRF (CVE-2026-10690) — MCP File Tool Exposes IMDS

AI CVEs by al-ice.ai Editorial

AI relevance: DesktopCommanderMCP is one of the most widely installed third-party MCP servers for AI coding assistants — its file-reading tool accepts unfiltered URLs, enabling SSRF to cloud metadata services and file:// paths that leak local secrets to any connected LLM agent.

What happened

  • CVE-2026-10690 (CWE-918) — The readFileFromUrl function in DesktopCommanderMCP's filesystem tool (src/tools/filesystem.ts) accepts arbitrary URLs without scheme or host validation, enabling server-side request forgery.
  • The related start_search function in src/search-manager.ts also has a security flaw tracked as CVE-2026-10691.
  • Disclosed June 3, 2026. Patch commit: 53699beb in the sorlen008/DesktopCommanderMCP fork.
  • Affecting versions up to and including 0.2.37/0.2.38.
  • Public exploit details are available, lowering the barrier for adversaries to weaponize the vulnerability.

Why it matters

  • DesktopCommanderMCP is commonly installed by developers into Claude Code, Cursor, and other AI coding agents — it runs with the developer's local filesystem access and often with cloud credentials in the environment.
  • An attacker who can influence the URL passed to readFileFromUrl (e.g., through a malicious file path, PR title, or document content) can trigger SSRF to http://169.254.169.254/latest/meta-data/ and harvest AWS/GCP/Azure instance credentials.
  • This follows a broader pattern of MCP servers treating user-supplied URLs as inherently safe — the CloudSEK AIVigil case documented a similar SSRF via an unauthenticated MCP server in a Spring Boot platform, leading to AWS IAM credential theft.
  • MCP servers that perform network I/O on behalf of agents must treat all user-controlled URLs as untrusted — this is an architectural requirement, not an implementation detail.

What to do

  • Update DesktopCommanderMCP to the patched version immediately.
  • If you run DesktopCommanderMCP or any MCP server that accepts URLs for file reading/searching, verify that the tool validates schemes (reject file://, http(s):// to loopback/metadata IPs) and hostnames.
  • For AI coding agents, consider restricting MCP server installations to audited versions and pinning to specific commits rather than tracking latest.
  • Review other installed MCP servers for similar URL-accepting tools — SSRF in MCP is an emerging class with at least three independent disclosures this month.

Sources