## CVE-2026-42260: High-Severity IPv6 Bypass Flaw Found in Open-WebSearch Before Version 2.1.7
A critical URL validation flaw has been identified in Open-WebSearch, a multi-engine MCP server, CLI, and local daemon designed for agent web search and content retrieval. The vulnerability, tracked as CVE-2026-42260 with a CVSS score of 8.2 (High), stems from improper handling of bracketed IPv6 literals in the isPublicHttpUrl and assertPublicHttpUrl functions located in src/utils/urlSafety.ts. The flaw affects all versions prior to 2.1.7, potentially allowing attackers to bypass URL safety checks by exploiting how the code fails to recognize and properly resolve IPv6 addresses enclosed in brackets.

The vulnerability specifically targets the URL safety validation logic, which is responsible for determining whether web requests are directed toward public or private network resources. By crafting URLs with bracketed IPv6 literals, an attacker could circumvent these checks, potentially redirecting the application toward internal network endpoints or other restricted resources that should be inaccessible. This class of vulnerability is particularly concerning in agent-based systems that autonomously retrieve and process web content, as the implications of a successful bypass could extend beyond the immediate application to affect downstream data handling.

Users of Open-WebSearch are advised to immediately verify their current installation version and upgrade to 2.1.7 or later if the running version falls within the affected range. Organizations should also audit any integrations or workflows that rely on the URL safety mechanisms, particularly those handling sensitive data or performing automated content retrieval. Given the active discussion within the security community around this CVE, further technical details may emerge as researchers continue to analyze the vulnerability's full scope and potential exploitation scenarios.
---
- **Source**: Mastodon:mastodon.social:#infosec
- **Sector**: The Lab
- **Tags**: CVE-2026-42260, Open-WebSearch, IPv6 bypass, URL validation, MCP server
- **Credibility**: unverified
- **Published**: 2026-05-12 17:18:26
- **ID**: 82290
- **URL**: https://whisperx.ai/en/intel/82290