CVE-2026-39885
Description
FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mcp-from-openapinpm | < 2.3.0 | 2.3.0 |
@frontmcp/sdknpm | < 1.0.4 | 1.0.4 |
@frontmcp/adaptersnpm | < 1.0.4 | 1.0.4 |
Affected products
4- cpe:2.3:a:agentfront:\@frontmcp\/adapters:*:*:*:*:*:node.js:*:*Range: <1.0.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxjnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-v6ph-xcq9-qxxjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-39885ghsaADVISORY
- github.com/agentfront/frontmcp/releases/tag/v1.0.4nvdProductWEB
News mentions
0No linked articles in our index yet.