CVE-2026-10662

Description

A vulnerability was found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The affected element is the function requests.get of the file src/blender_mcp/server.py of the component ZIP File Handler. The manipulation of the argument zip_file_url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The patch is identified as 5b37be25242e73dc4cf1328974d30458b9e5d67e. It is advisable to implement a patch to correct this issue.

PUBLISHED Reserved 2026-06-02 | Published 2026-06-02 | Updated 2026-06-03 | Assigner VulDB

Problem types

Server-Side Request Forgery

Product status

Timeline

Credits

skywings (VulDB User) reporter

References

vuldb.com/vuln/367957 (VDB-367957 | ahujasid blender-mcp ZIP File server.py requests.get server-side request forgery) vdb-entry technical-description

vuldb.com/vuln/367957/cti (VDB-367957 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/cve/CVE-2026-10662 (CVE-2026-10662 | CVE Analysis and Report) third-party-advisory

vuldb.com/submit/830488 (Submit #830488 | ahujasid blender-mcp Latest Server-Side Request Forgery) third-party-advisory

github.com/ahujasid/blender-mcp/issues/203 exploit issue-tracking

github.com/ahujasid/blender-mcp/pull/205 issue-tracking patch

github.com/...ommit/5b37be25242e73dc4cf1328974d30458b9e5d67e patch

github.com/ahujasid/blender-mcp/ product

cve.org (CVE-2026-10662)

nvd.nist.gov (CVE-2026-10662)

Download JSON