CVE-2026-34476EXPLOITEDPATCHED

apache · skywalking mcp

Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server

Description

Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. This issue affects Apache SkyWalking MCP: 0.1.0. Users are recommended to upgrade to version 0.2.0, which fixes this issue.

Affected Products

Vendor	Product	Versions
apache	skywalking mcp	0.1.0

References

https://lists.apache.org/thread/v0k1xyzzbtnpyrwxwyn36pbspr8rhjnr(vendor-advisory)

Related News (2 articles)

Tier C

oss-security1d ago

CVE-2026-34476: Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-34476 | Apache SkyWalking MCP up to 0.1.0 Header SW-URL server-side request forgery

→ No new info (linked only)

CVSS 3.17.1 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://lists.apache.org/thread/v0k1xyzzbtnpyrwxwyn36pbspr8rhjnr

CWECWE-918

PublishedApr 13, 2026

Last enriched1d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34197EXP

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

Trending: 59

MEDIUMCVE-2026-34479EXP

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

Trending: 57

MEDIUMCVE-2026-34480EXP

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

Trending: 56

MEDIUMCVE-2026-34477EXP

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

Trending: 48

MEDIUMCVE-2026-34481EXP

Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Trending: 45

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 13, 2026

Discovered by ZDM

Apr 13, 2026

Updated: severity, tags

Apr 13, 2026

Updated: severity, exploitAvailable, activelyExploited

Apr 13, 2026

Actively Exploited

Apr 13, 2026

Exploit Available

Apr 13, 2026

Patch Available

Apr 13, 2026

Version History

Last enriched 1d ago

v3Tier C1d ago

Updated severity from HIGH to MEDIUM, marked exploit as available, and noted that the vulnerability is actively exploited.

severityexploitAvailableactivelyExploited

via oss-security

v2Tier C1d ago

Updated severity to CRITICAL, marked exploit as not available, and added CVE-2026-34476 as a new tag.

severitytags

via VulDB

v11d ago

Initial creation