CVE-2026-49345: mercator SSRF enables

CISO Take

Mercator's admin configuration panel passes user-supplied URLs directly to curl without any scheme, hostname, or IP validation, allowing an authenticated attacker with the 'configure' permission to pivot into the internal network. By injecting a '#' fragment character to neutralize the appended '/api/dbInfo' suffix, the attacker gains full URL control — enabling blind port scanning via telnet:// and direct interaction with unauthenticated Redis or Memcached instances via gopher://, services commonly deployed as caching layers in AI/ML pipelines. Under common deployment conditions this chains to Remote Code Execution on internal hosts co-located with ML infrastructure. No public exploit exists and the vulnerability is not in CISA KEV, but the technique is well-documented and trivially constructable from the advisory; upgrade to Mercator 2025.05.19 immediately and enforce egress filtering on the Mercator host to block outbound connections to RFC1918 ranges.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium-High in environments where Mercator is deployed alongside internal AI/ML infrastructure. Authentication requirement (configure permission) constrains the initial attack surface, but internal ML environments routinely run unauthenticated Redis instances for feature stores, model output caches, and session storage — services directly targetable via the gopher:// vector. The '#' fragment bypass is a well-known SSRF technique requiring no novel research, placing exploitation squarely within reach of any motivated attacker with insider access or compromised credentials. No CVSS score is assigned yet, but the RCE chain warrants treating this as High severity internally.

How does the attack unfold?

Initial Access

Attacker authenticates to Mercator using compromised or insider credentials holding the 'configure' permission and navigates to /admin/config/parameters.

AML.T0012

SSRF Exploitation

Attacker injects a crafted URL with a '#' fragment character into testProvider(), bypassing the '/api/dbInfo' suffix and causing the Mercator server to issue arbitrary outbound HTTP/gopher/telnet requests to attacker-specified internal targets.

AML.T0049

Internal Reconnaissance

Using telnet:// scheme, attacker performs blind port scanning of the internal network to enumerate AI/ML infrastructure: model serving endpoints, Redis/Memcached instances, MLflow servers, and vector databases.

AML.T0006

Impact: RCE via Gopher

Attacker sends pre-formatted Redis RESP commands via gopher:// to an unauthenticated internal Redis instance, writing a malicious cron payload to achieve Remote Code Execution and establish a foothold for lateral movement into AI/ML infrastructure.

AML.T0037

Initial Access

Attacker authenticates to Mercator using compromised or insider credentials holding the 'configure' permission and navigates to /admin/config/parameters.

AML.T0012

SSRF Exploitation

Attacker injects a crafted URL with a '#' fragment character into testProvider(), bypassing the '/api/dbInfo' suffix and causing the Mercator server to issue arbitrary outbound HTTP/gopher/telnet requests to attacker-specified internal targets.

AML.T0049

Internal Reconnaissance

Using telnet:// scheme, attacker performs blind port scanning of the internal network to enumerate AI/ML infrastructure: model serving endpoints, Redis/Memcached instances, MLflow servers, and vector databases.

AML.T0006

Impact: RCE via Gopher

Attacker sends pre-formatted Redis RESP commands via gopher:// to an unauthenticated internal Redis instance, writing a malicious cron payload to achieve Remote Code Execution and establish a foothold for lateral movement into AI/ML infrastructure.

AML.T0037

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
mercator	—	—	No patch

Do you use mercator? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

6 steps

Patch immediately: upgrade Mercator to version 2025.05.19 which enforces scheme whitelisting and host/IP validation on the testProvider() input.
Restrict the 'configure' permission to the absolute minimum set of admin accounts; audit current permission assignments.
Implement network-level egress filtering on the Mercator host to deny outbound connections to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and loopback (127.0.0.0/8).
Require authentication on all internal Redis (requirepass directive) and Memcached (-S flag) instances; bind them to localhost or dedicated VLANs rather than 0.0.0.0.
If immediate patching is blocked, disable /admin/config/parameters via WAF rule or reverse proxy ACL.
Review Mercator application logs for anomalous outbound requests from the testProvider endpoint, particularly to internal RFC1918 addresses.

How is it classified?

Code Execution Data Extraction API Inference AML.T0006 - Active Scanning AML.T0012 - Valid Accounts AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2.5 - AI system security and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms to maintain deployed AI

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-49345?

Mercator's admin configuration panel passes user-supplied URLs directly to curl without any scheme, hostname, or IP validation, allowing an authenticated attacker with the 'configure' permission to pivot into the internal network. By injecting a '#' fragment character to neutralize the appended '/api/dbInfo' suffix, the attacker gains full URL control — enabling blind port scanning via telnet:// and direct interaction with unauthenticated Redis or Memcached instances via gopher://, services commonly deployed as caching layers in AI/ML pipelines. Under common deployment conditions this chains to Remote Code Execution on internal hosts co-located with ML infrastructure. No public exploit exists and the vulnerability is not in CISA KEV, but the technique is well-documented and trivially constructable from the advisory; upgrade to Mercator 2025.05.19 immediately and enforce egress filtering on the Mercator host to block outbound connections to RFC1918 ranges.

Is CVE-2026-49345 actively exploited?

No confirmed active exploitation of CVE-2026-49345 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-49345?

1. Patch immediately: upgrade Mercator to version 2025.05.19 which enforces scheme whitelisting and host/IP validation on the testProvider() input. 2. Restrict the 'configure' permission to the absolute minimum set of admin accounts; audit current permission assignments. 3. Implement network-level egress filtering on the Mercator host to deny outbound connections to RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and loopback (127.0.0.0/8). 4. Require authentication on all internal Redis (requirepass directive) and Memcached (-S flag) instances; bind them to localhost or dedicated VLANs rather than 0.0.0.0. 5. If immediate patching is blocked, disable /admin/config/parameters via WAF rule or reverse proxy ACL. 6. Review Mercator application logs for anomalous outbound requests from the testProvider endpoint, particularly to internal RFC1918 addresses.

What systems are affected by CVE-2026-49345?

This vulnerability affects the following AI/ML architecture patterns: Model serving (internally accessible endpoints), MLOps pipelines with internal Redis/Memcached dependencies, Vector databases on internal networks, Training pipelines using internal feature stores, On-premise AI/ML deployments mapped by Mercator.

What is the CVSS score for CVE-2026-49345?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Model serving (internally accessible endpoints)MLOps pipelines with internal Redis/Memcached dependenciesVector databases on internal networksTraining pipelines using internal feature storesOn-premise AI/ML deployments mapped by Mercator

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0012 Valid Accounts

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in `ConfigurationController` passes user-supplied input directly to `curl_init()` without validating the scheme, hostname, or destination IP address. An authenticated user with the `configure` permission can force the Mercator server to issue arbitrary outbound network requests. The suffix `/api/dbInfo` appended to the URL can be bypassed by injecting a `#` fragment character (e.g. `http://TARGET/PATH#`), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The `telnet://` scheme can be used for internal port scanning; the `gopher://` scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue.

Exploitation Scenario

An adversary who has compromised a Mercator admin account with 'configure' permissions — via credential stuffing, insider threat, or phishing — navigates to /admin/config/parameters. They submit a provider URL crafted as 'gopher://192.168.10.20:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a#' where the '#' causes the appended '/api/dbInfo' to be treated as a URL fragment discarded before the network request. The Mercator server issues the gopher:// request directly to the internal Redis instance, executing RESP commands that write a malicious cron entry to disk via Redis CONFIG SET dir and BGSAVE, achieving RCE on the Redis host. With this foothold, the attacker pivots laterally to MLflow tracking servers, internal LLM inference endpoints, or vector databases co-located on the same network segment, exfiltrating model artifacts, training data, or API keys stored in those services.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.