Server-Side Request Forgery Vulnerability in Priyankark a11y-mcp

CVE-2026-5323

What is CVE-2026-5323?

A vulnerability has been identified in the Priyankark a11y-mcp up to version 1.0.5, affecting the A11yServer function in the src/index.js file. This vulnerability could allow local attackers to initiate server-side request forgery (SSRF) exploits. Although the attack requires local access, it poses potential risks, especially in environments where the software operates in an untrusted or shared context. Upgrading to version 1.0.6 resolves the issue, and the vendor has provided context regarding the risk, clarifying that a11y-mcp functions as a local stdio MCP server without external HTTP endpoints. Users are strongly advised to implement the available patch, referenced as e3e11c9e8482bd06b82fd9fced67be4856f0dffc, to ensure system security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References