Server-Side Request Forgery in pixelsock directus-mcp by pixelsock
CVE-2026-7729

5.3MEDIUM

Key Information:

Vendor: Pixelsock
Status: Directus-mcp
Vendor: CVE Published:; 4 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-7729?

A security flaw has been identified in the pixelsock directus-mcp version 1.0.0. This vulnerability resides in the validateUrl function located in index.ts of the MCP Interface component. An attacker can manipulate the fileUrl argument, potentially leading to servers being tricked into making unauthorized requests. This issue can be exploited remotely, which raises significant concerns for the security of applications utilizing this component. The related pull request for a fix is currently awaiting acceptance, highlighting the urgency of addressing this vulnerability.

Affected Version(s)

directus-mcp 1.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7729 - Proof of Concept

References

https://vuldb.com/vuln/360904

vdb-entrytechnical-description

https://vuldb.com/vuln/360904/cti

signaturepermissions-required

https://vuldb.com/submit/807539

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 4, 2026
👾
Exploit known to exist
May 4, 2026
Vulnerability published
May 4, 2026
Vulnerability Reserved
May 3, 2026

Credit

BruceJqs (VulDB User)

VulDB CNA Team

CVE-2026-7729 Data

JSON

Pixelsock