PT-2026-60392 · Go · Github.Com/Stacklok/Toolhive
CVE-2026-58196
·
Published
2026-07-15
·
Updated
2026-07-15
CVSS v3.1
4.7
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
Security Advisory: SSRF in remote MCP server authentication discovery
Severity: High. CWE: CWE-918. Affected: ToolHive through the latest release v0.29.3 and current
main (HEAD b672d82f, 2026-06-12; re-verified 2026-06-14). FetchResourceMetadata and the discovery clients remain unguarded; no commits to pkg/auth/discovery or pkg/auth/remote address this. Originally identified at commit 05f11b53; all line references below are against HEAD b672d82f.Summary
ToolHive's remote MCP server authentication discovery issues outbound HTTP requests to URLs the remote MCP server controls, with no private-IP or loopback guard and no restriction on redirects. ToolHive's core security model treats every MCP server as untrusted: the README states it "runs every MCP server in an isolated container" with "no local credentials," and it ships an egress proxy for network isolation. This discovery code runs host-side, in the ToolHive process, before and outside that per-server container sandbox. A malicious or compromised remote MCP server, added by a user through ToolHive's normal remote-server workflow, can therefore drive the ToolHive host itself to fetch arbitrary internal URLs, including cloud instance metadata, which bypasses the isolation ToolHive exists to provide. The user never selects a malicious target; they connect to a server they intend to use, and the attack is carried entirely in that server's discovery response.
ToolHive already establishes this boundary in code.
ValidateRemoteURL (cmd/thv-operator/pkg/validation/url validation.go:61) rejects internal IPs and known internal hostnames for the configured remote URL, and IsPrivateIP (pkg/networking/utilities.go:105) blocks RFC1918, link-local, 169.254.0.0/16, and loopback for outbound requests. The discovery clients below never call either guard, and the attacker-supplied resource metadata URL and its redirect target are validated by neither. This is a deviation from the project's intended behavior, not a configuration choice by the operator.The discovery clients are explicitly marked as trusted
The three outbound requests in this finding carry the maintainers' own gosec suppressions, each with a rationale comment asserting the URL is trusted:
discovery.go:165--resp, err := client.Do(req) // #nosec G704 -- targetURI is the MCP server endpoint URL from internal configdiscovery.go:219--resp, err := client.Do(req) // #nosec G704 -- uri is built from the MCP server endpoint for auth discoverydiscovery.go:931--resp, err := client.Do(req) // #nosec G704 -- URL is the OIDC well-known metadata endpoint
gosec's G704 is its SSRF taint-analysis rule: it flags exactly this pattern, an HTTP request whose URL flows from external input. The suppressions dismiss it on the premise that the URL comes "from internal config" or is "the MCP server endpoint." That premise is the bug. The targetURI is the remote MCP server endpoint, and the resource metadata URL at line 931 comes straight from the server's
WWW-Authenticate header (parsed by ParseWWWAuthenticate, discovery.go:293; resource metadata extracted at discovery.go:315). Under ToolHive's own threat model the remote MCP server is untrusted, so "the MCP server endpoint" is attacker-controlled input, not internal config. A parallel cluster of //nolint:gosec // G706 (log-injection) suppressions on the same discovery responses (discovery.go:212, 221, 240, 268, 273, 280) shows the same data being treated as trusted throughout this code path. The maintainers saw the taint-analysis warning on these requests and waved it through on a trust assumption that contradicts the project's design.Relationship to existing reports
This is distinct from issue #5135 (DCR resolver SSRF). #5135 is scoped to the DCR registration client, which already refuses redirects:
client.CheckRedirect = errDCRRedirectRefused (pkg/auth/dcr/resolver.go:1281), with an in-code comment explaining that the wrapping client "refuses to follow HTTP redirects ... never for a redirected request whose URL the upstream chose" (resolver.go:1240). The discovery sinks below set no CheckRedirect and no private-IP guard, and are reached by a different path (the WWW-Authenticate resource metadata discovery and the OIDC issuer discovery). The project demonstrably understands that redirect-following to an upstream-chosen URL is dangerous and guarded the DCR client against it; it left the discovery clients open. Fixing #5135 does not address them.This is also distinct from GHSA-pph6-vfjv-vpjw (published 2026-06-04), which reports that the
IsPrivateIP guard itself misses the IPv6 NAT64 ranges and so requires a NAT64/DNS64 gateway to reach internal addresses. The finding here does not depend on that guard's completeness: the discovery clients never call IsPrivateIP at all, so the host fetches 169.254.169.254 directly on any deployment, with no NAT64 dependency, and additionally follows redirects. The NAT64 fix to IsPrivateIP does not protect these clients because they do not use the guard.Details
remote.Handler.Authenticatecallsdiscovery.DetectAuthenticationFromServer(pkg/auth/remote/handler.go:62), which issues a GET to the remote URL (client built at discovery.go:93 with noCheckRedirect; request at discovery.go:165).- A
401withWWW-Authenticate: Bearer ... resource metadata="<url>"is parsed byParseWWWAuthenticate(discovery.go:293), and the server-suppliedresource metadatavalue is stored (discovery.go:315). tryDiscoverFromResourceMetadatacallsFetchResourceMetadata(handler.go:411, discovery.go:899). That client is built with noCheckRedirectand no private-IP dialer guard (discovery.go:916) and issuesclient.Do(GET <attacker url>)(discovery.go:931).FetchResourceMetadatarequires the initial metadata URL to use HTTPS (discovery.go:911), but that check runs once on the supplied URL only; the client then follows the302 Locationto any scheme and any address with no re-validation.- The OIDC issuer discovery path (
.well-known/openid-configuration,.well-known/oauth-authorization-server) and the well-known existence probe (discovery.go:219) use the same unguarded client pattern.
Proof of concept (reproduced; recording available)
The attacker is the remote MCP server, not a URL the victim chooses. The victim connects to a server they intend to use (from a registry, a shared config, or a previously-legitimate endpoint that was later compromised) and the entire attack lives in that server's discovery response.
- A remote MCP server the victim has added responds to discovery with
401 WWW-Authenticate: Bearer realm="x", resource metadata="https://<server>/.well-known/oauth-protected-resource"(HTTPS, so it passes the discovery.go:911 scheme check), and returns302 Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>for that metadata URL. In the recording a loopback mock instance-metadata service stands in for169.254.169.254to avoid touching a real cloud account; the ToolHive code path is identical on a cloud instance, where the same redirect reaches the real metadata endpoint with no extra precondition. - The victim runs that server the normal way:
thv run <remote-mcp-server> --remote-auth. ToolHive performs the auth discovery automatically; the victim never targets an internal address. - Observed: ToolHive's host process fetches the server-supplied resource metadata URL and follows the
302to the internal metadata path with no address filtering. The mock instance-metadata service received the request from ToolHive's Go HTTP client (Go-http-client/1.1) and returned aMetadata-Flavorheader with IAM credentials, confirming the host follows the server-controlled redirect to an internal endpoint. The proven primitive is "the ToolHive host issues a GET to a server-controlled internal address and follows redirects with no filtering." On an instance with AWS IMDSv1 enabled that primitive returns IAM credentials directly, since IMDSv1 answers a plain GET. IMDSv2 (token viaPUTplus a header) and GCP (Metadata-Flavorheader) are not reachable by a redirect-following GET, so on those the reachable impact is the broader internal-GET surface: internal-only HTTP services, IMDSv1 where still enabled, link-local and RFC1918 endpoints, and reachability or error oracles.
Impact
A remote MCP server forces the host to issue arbitrary internal GET requests with redirect following and no address filtering. The host-side reach is the proven impact: internal-only services not exposed to the network, link-local and RFC1918 endpoints, and reachability or error oracles. On instances with AWS IMDSv1 enabled the request to
169.254.169.254 returns IAM credentials directly. Because the discovery runs in the host process and not in the per-server container, this is exactly the reach that the MCP server's own container sandbox is designed to deny.Suggested fix
Apply the DCR client's hardening to the discovery clients: set
CheckRedirect to reject cross-host or scheme-downgrade redirects, and wrap DialContext with the project's existing IsPrivateIP guard (pkg/networking/utilities.go:105) for FetchResourceMetadata, DetectAuthenticationFromServer, and the issuer-discovery client. Re-validating the redirect target, not only the initial URL, is the load-bearing part: the discovery.go:911 HTTPS check is bypassed by a 302 from an HTTPS metadata URL to an internal http address.Verification status
The resource metadata path was dynamically reproduced with a recording (against commit 05f11b53; the sink code at HEAD b672d82f is source-identical, with the unguarded clients and the three
#nosec G704 suppressions confirmed present). The OIDC issuer discovery path is confirmed by source review against the same unguarded client and is in scope of the same fix.Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Stacklok/Toolhive