## SOAR MCP Integration Leaks Internal API URLs Through Error Messages, Aiding Reconnaissance
A security researcher has identified an information disclosure vulnerability in the SOAR (Security Orchestration, Automation and Response) MCP (Model Context Protocol) integration, where failed API calls return error messages containing full internal REST API URLs. The flaw exposes the SOAR platform's hostname and exact REST endpoint paths to MCP clients—typically AI agents—effectively mapping out internal infrastructure topology during reconnaissance.

The vulnerability, classified as low severity but marked informational, becomes particularly concerning when error responses include URLs that confirm the internal REST path structure. In one documented example, an error message reads: "Error fetching case 99999999: Resource not found (HTTP 404): https://www.soar4rookies.com/rest/container/99999999." More critically, a third example demonstrating a path traversal probe—"Error fetching case ../../../etc/passwd"—returned an error exposing the traversed URL, simultaneously confirming the path traversal vulnerability documented in issue #9. The pattern allows attackers to distinguish valid endpoints from invalid ones through error response analysis.

The exposure enables several attack vectors: enumeration of internal REST API structure, confirmation of the SOAR base URL, and systematic probing for additional endpoints. Security researchers note that even low-severity information disclosure flaws can compound with other vulnerabilities, as demonstrated by the intersection with the path traversal issue. The recommended remediation involves modifying the SoarApiClient error handling to return only HTTP status codes, omitting the full URL from client-facing error strings.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, api, information-disclosure, soar, reconnaissance
- **Credibility**: unverified
- **Published**: 2026-04-23 08:54:09
- **ID**: 76287
- **URL**: https://whisperx.ai/en/intel/76287