← Back
2026-05-29 13:48CVE-2026-45609GitHub_M
PUBLISHED5.2CWE-918

mcp-security: Unvalidated URL Fetching (SSRF)

mcp-security provides Security and Authorization support for Model Context Protocol in Spring AI. Prior to 0.1.9, the mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. This only affects installations with Dynamic Client Registration (DCR) enabled This vulnerability is fixed in 0.1.9.

Problem type

Affected products

spring-ai-community

mcp-security

< 0.1.9 - AFFECTED

References

https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3

https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3

x_refsource_CONFIRM

GitHub Security Advisories

GHSA-qjp4-4jvr-xqg3

Spring AI MCP Security: Unvalidated URL Fetching (SSRF)

https://github.com/advisories/GHSA-qjp4-4jvr-xqg3

Summary

The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network.

This only affects installations with Dynamic Client Registration (DCR) enabled:

spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true

DCR does not validate URLs exposed by MCP Servers (protected resource metadata URL, authorization server URL) and Authorization Servers (all OAuth2 endpoints).

Workaround

When users need to perform DCR, they may provide their own McpOAuth2ClientManager. Both McpMetadataDiscoveryService and DynamicClientRegistrationService are also affected, if used, users should provide their own subclasses.

Alternatively, users can provide the default implementations of these classes with a RestClient that implements URL filtering through ClientHttpRequestInterceptor.

github.com

https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3

github.com

https://github.com/spring-ai-community/mcp-security/pull/68

github.com

https://github.com/spring-ai-community/mcp-security/commit/e6b67d8a67cd7acbee6e4c0741c385d62e3ed576

github.com

https://github.com/spring-ai-community/mcp-security/releases/tag/v0.1.9

github.com

https://github.com/advisories/GHSA-qjp4-4jvr-xqg3

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-45609
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-45609",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-05-29T13:48:06.703Z",
    "dateReserved": "2026-05-12T20:31:43.447Z",
    "datePublished": "2026-05-29T13:48:06.703Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-05-29T13:48:06.703Z"
      },
      "title": "mcp-security: Unvalidated URL Fetching (SSRF)",
      "descriptions": [
        {
          "lang": "en",
          "value": "mcp-security provides Security and Authorization support for Model Context Protocol in Spring AI. Prior to 0.1.9, the mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. This only affects installations with Dynamic Client Registration (DCR) enabled This vulnerability is fixed in 0.1.9."
        }
      ],
      "affected": [
        {
          "vendor": "spring-ai-community",
          "product": "mcp-security",
          "versions": [
            {
              "version": "< 0.1.9",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "cweId": "CWE-918",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3",
          "name": "https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH"
          }
        }
      ]
    }
  }
}