Spring AI MCP Security: Unvalidated URL Fetching (SSRF)
GHSA-qjp4-4jvr-xqg3 · CVE-2026-45609
Published · Modified
Description
Summary
The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network.
This only affects installations with Dynamic Client Registration (DCR) enabled:
spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true
DCR does not validate URLs exposed by MCP Servers (protected resource metadata URL, authorization server URL) and Authorization Servers (all OAuth2 endpoints).
Workaround
When users need to perform DCR, they may provide their own McpOAuth2ClientManager. Both McpMetadataDiscoveryService and DynamicClientRegistrationService are also affected, if used, users should provide their own subclasses.
Alternatively, users can provide the default implementations of these classes with a RestClient that implements URL filtering through ClientHttpRequestInterceptor.
References
- WEB https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-45609
- WEB https://github.com/spring-ai-community/mcp-security/pull/68
- WEB https://github.com/spring-ai-community/mcp-security/commit/e6b67d8a67cd7acbee6e4c0741c385d62e3ed576
- PACKAGE https://github.com/spring-ai-community/mcp-security
- WEB https://github.com/spring-ai-community/mcp-security/releases/tag/v0.1.9
Ready to move
Start Securing
Free, no credit card | First findings in minutes