CVE-2026-45609

Name of the Vulnerable Software and Affected Versions mcp-security versions prior to 0.1.9

Description The mcp-security framework fails to implement mandatory Server-Side Request Forgery (SSRF) mitigations—a flaw where an attacker can induce the server to make requests to an unintended location—as outlined in the Model Context Protocol (MCP) security specifications. The framework processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. This issue specifically affects installations where Dynamic Client Registration (DCR) is enabled via the spring.ai.mcp.client.authorization.dynamic-client-registration.enabled property. DCR does not validate URLs exposed by MCP Servers, such as the protected resource metadata URL and authorization server URL, nor does it validate OAuth2 endpoints from Authorization Servers.

Recommendations Update to version 0.1.9. As a temporary workaround, provide a custom McpOAuth2ClientManager when performing DCR. Provide custom subclasses for McpMetadataDiscoveryService and DynamicClientRegistrationService if they are in use. Implement URL filtering by providing the default implementations of these classes with a RestClient that utilizes a ClientHttpRequestInterceptor.