How is CVE-2026-45609 exploited?

Network reachability (required): The attacker must reach the MCP server's OAuth discovery endpoint over the network (AV:N). Authentication (not-required): No credentials are needed; Dynamic Client Registration accepts unauthenticated callers (PR:N). Victim interaction (not-required): Exploitation is driven entirely by the attacker's request, with no user action required (UI:N). Attack complexity (info): Attack complexity is low: submitting a crafted URL through DCR is reliable and free of environmental preconditions (AC:L).

What is the impact of CVE-2026-45609?

Reads metadata from internal services that are not meant to be exposed, such as cloud instance metadata endpoints or admin APIs on the loopback interface. Tampers with OAuth client registration state by steering discovery to attacker-controlled metadata, which can poison downstream authorization decisions. Pivots requests across the scope boundary (S:C), letting the MCP server act as a proxy into network segments the attacker cannot reach directly.

Back to search

HIGHCVE-2026-45609Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45609: mcp-security: Unvalidated URL Fetching (SSRF)

mcp-security provides Security and Authorization support for Model Context Protocol in Spring AI. Prior to 0.1.9, the mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. This only affects installations with Dynamic Client Registration (DCR) enabled This vulnerability is fixed in 0.1.9.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Server-side request forgery (SSRF) in mcp-security, the Security and Authorization layer for Model Context Protocol in Spring AI. The framework fetches OAuth discovery and metadata URLs over the network without validating that the targets are not internal or malicious, and the bug is reachable over the network without authentication when Dynamic Client Registration is enabled. Successful exploitation lets an attacker coerce the server into issuing HTTP requests to attacker-chosen destinations, exposing internal services and tampering with discovery data. A patched-image rebuild at 0.1.9 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against mcp-security coordinates in customer registries and build pipelines, including custom-built images that bundle Spring AI components.

Available

Triage

Triage is available with the published CVSS 3.1 score of 7.2 (High) weighted against each customer's compliance policy, so DCR-enabled workloads can be prioritized higher than installations where the affected code path is unreachable. Findings route to the security inbox configured for the owning team inside each customer org.

Available

Patch

A patched-image rebuild at mcp-security 0.1.9 is available on HarborGuard. For customers who opt into auto-remediation, the rebuilt image is produced, the regression suite is executed, and a pull request is opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MCP server's OAuth discovery endpoint over the network (AV:N).
AuthenticationNot required
No credentials are needed; Dynamic Client Registration accepts unauthenticated callers (PR:N).
Victim interactionNot required
Exploitation is driven entirely by the attacker's request, with no user action required (UI:N).
Attack complexityDetail
Attack complexity is low: submitting a crafted URL through DCR is reliable and free of environmental preconditions (AC:L).

Blast Radius

Reads metadata from internal services that are not meant to be exposed, such as cloud instance metadata endpoints or admin APIs on the loopback interface.
Tampers with OAuth client registration state by steering discovery to attacker-controlled metadata, which can poison downstream authorization decisions.
Pivots requests across the scope boundary (S:C), letting the MCP server act as a proxy into network segments the attacker cannot reach directly.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at mcp-security 0.1.9 is produced as soon as the advisory is ingested, and environments with auto-remediation enabled receive an automatically rebuilt image, a regression-test run, and a pull request opened against affected workloads. Median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that cannot upgrade immediately, compensating controls are suggested in the finding: disable Dynamic Client Registration if unused, restrict egress from the MCP server to an allowlist of known authorization-server hosts, and block requests to link-local and RFC1918 ranges at the network policy layer.

See how HarborGuard automates this

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

spring-ai-community / mcp-security
< 0.1.9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References

https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3