VYPR
← All advisories
High severity7.2GHSA Advisory· Published May 18, 2026· Updated May 18, 2026

Spring AI MCP Security: Unvalidated URL Fetching (SSRF)

CVE-2026-45609

Description

Summary

The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network.

This only affects installations with Dynamic Client Registration (DCR) enabled:

spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true

DCR does not validate URLs exposed by MCP Servers (protected resource metadata URL, authorization server URL) and Authorization Servers (all OAuth2 endpoints).

Workaround

When users need to perform DCR, they may provide their own McpOAuth2ClientManager. Both McpMetadataDiscoveryService and DynamicClientRegistrationService are also affected, if used, users should provide their own subclasses.

Alternatively, users can provide the default implementations of these classes with a RestClient that implements URL filtering through ClientHttpRequestInterceptor.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-45609: SSRF in spring-ai-community/mcp-security due to missing URL validation in Dynamic Client Registration, allowing attackers to probe internal networks.

Vulnerability

Overview

The mcp-security framework fails to implement mandatory SSRF mitigations required by the Model Context Protocol security specifications [2]. When Dynamic Client Registration (DCR) is enabled, the framework processes untrusted URLs from MCP Servers and Authorization Servers without validating whether they point to internal or malicious hosts [3]. This includes URLs for protected resource metadata, authorization server endpoints, and OAuth2 discovery URLs.

Exploitation

An attacker controlling a malicious MCP Server can supply crafted URLs that cause the client to make requests to internal network resources, such as cloud metadata endpoints or local services [1]. No authentication is required beyond the ability to register a malicious server or intercept the DCR flow. The vulnerability only affects installations with DCR enabled (spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true) [2].

Impact

Successful exploitation allows an attacker to perform Server-Side Request Forgery (SSRF) attacks, potentially accessing internal services, cloud instance metadata, or other sensitive resources that are not intended to be exposed externally [3]. This can lead to information disclosure or further lateral movement within the network.

Mitigation

The issue is fixed in version 0.1.9 of the mcp-security library [1]. Users should upgrade immediately. As a workaround, users can provide a custom McpOAuth2ClientManager or configure a RestClient with URL filtering interceptors [2]. Additionally, a new configuration property spring.ai.mcp.client.authorization.dynamic-client-registration.allow-loopback-addresses has been introduced to allow loopback addresses only for development [1].

References
  1. README: document URL validation · spring-ai-community/mcp-security@e6b67d8
  2. CVE-2026-45609 - GitHub Advisory Database
  3. Unvalidated URL Fetching (SSRF) in MCP Client

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
e6b67d8a67cd

README: document URL validation

https://github.com/spring-ai-community/mcp-securityDaniel Garnier-MoirouxMay 11, 2026via ghsa
commit
1 file changed · +21 2
  • README.md+21 2 modified
    @@ -420,6 +420,8 @@ spring.ai.mcp.client.streamable-http.connections.my-mcp-server.url=http://localh
 
 # Enable Dynamic Client Registration (default: false)
 spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true
+# For development purposes, allow loopback addresses for MCP Servers and Auth Servers (default: false)
+spring.ai.mcp.client.authorization.dynamic-client-registration.allow-loopback-addresses=true
 ```
 
 Then, configure a `SecurityFilterChain` with the provided `McpClientOAuth2Configurer`:
@@ -447,7 +449,7 @@ This is all you need. The auto-configuration module sets up the following beans:
 - `McpClientRegistrationRepository`: a `ClientRegistrationRepository` that also tracks the associated MCP resource
   identifier
 - `McpOAuth2ClientManager`: manages Dynamic Client Registration (DCR) and scope step-up
-- `McpMetadataDiscoveryService` and `DynamicClientRegistrationService`: infrastructure for DCR
+- `UrlValidator`, `McpMetadataDiscoveryService` and `DynamicClientRegistrationService`: infrastructure for DCR
 - Various `McpClientConfigurer` to update MCP transports and MCP clients so a token is added on every request
 
 For a complete working example, see the
@@ -518,9 +520,26 @@ When enabled, the flow works as follows:
 
 DCR is disabled by default in the `mcp-client-security-spring-boot` auto-configuration.
 To enable it, set `spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true`.
-When disabled, ensure you either have a single `ClientRegistration` registered under `spring.security.oauth2.client.registration`, or provide your own `OAuth2HttpClientTransportCustomizer` bean.
+When disabled, ensure you either have a single `ClientRegistration` registered under
+`spring.security.oauth2.client.registration`, or provide your own `OAuth2HttpClientTransportCustomizer` bean.
 Scope step-up is still supported when DCR is disabled.
 
+#### URL Validation
+
+As a security measure to prevent Server-Side Request Forgery (SSRF), MCP Security enforces HTTPS for all URLs involved
+in the Dynamic Client Registration flow, including the resource metadata URL and the authorization server endpoints.
+This validation is provided by the `UrlValidator` interface and its implementation.
+For production use-cases, tailor the SSRF checks to your specific network setup with a custom implementation of
+`UrlValidator`.
+
+When using `mcp-client-security-spring-boot`, when running in development mode, you may need to allow HTTP urls. You can
+explicitly allow HTTP for loopback addresses (like `localhost`, `127.0.0.1`, and `[::1]`) by setting the following
+property:
+
+```properties
+spring.ai.mcp.client.authorization.dynamic-client-registration.allow-loopback-addresses=true
+```
+
 ### Use with `McpClientOAuth2Configurer`
 
 `McpClientOAuth2Configurer` is a Spring Security configurer that sets up OAuth2 client support for MCP,

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.