PT-2026-60392 · Go · Github.Com/Stacklok/Toolhive

CVE-2026-58196

·

Published

2026-07-15

·

Updated

2026-07-15

CVSS v3.1

4.7

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Security Advisory: SSRF in remote MCP server authentication discovery

Severity: High. CWE: CWE-918. Affected: ToolHive through the latest release v0.29.3 and current main (HEAD b672d82f, 2026-06-12; re-verified 2026-06-14). FetchResourceMetadata and the discovery clients remain unguarded; no commits to pkg/auth/discovery or pkg/auth/remote address this. Originally identified at commit 05f11b53; all line references below are against HEAD b672d82f.

Summary

ToolHive's remote MCP server authentication discovery issues outbound HTTP requests to URLs the remote MCP server controls, with no private-IP or loopback guard and no restriction on redirects. ToolHive's core security model treats every MCP server as untrusted: the README states it "runs every MCP server in an isolated container" with "no local credentials," and it ships an egress proxy for network isolation. This discovery code runs host-side, in the ToolHive process, before and outside that per-server container sandbox. A malicious or compromised remote MCP server, added by a user through ToolHive's normal remote-server workflow, can therefore drive the ToolHive host itself to fetch arbitrary internal URLs, including cloud instance metadata, which bypasses the isolation ToolHive exists to provide. The user never selects a malicious target; they connect to a server they intend to use, and the attack is carried entirely in that server's discovery response.
ToolHive already establishes this boundary in code. ValidateRemoteURL (cmd/thv-operator/pkg/validation/url validation.go:61) rejects internal IPs and known internal hostnames for the configured remote URL, and IsPrivateIP (pkg/networking/utilities.go:105) blocks RFC1918, link-local, 169.254.0.0/16, and loopback for outbound requests. The discovery clients below never call either guard, and the attacker-supplied resource metadata URL and its redirect target are validated by neither. This is a deviation from the project's intended behavior, not a configuration choice by the operator.

The discovery clients are explicitly marked as trusted

The three outbound requests in this finding carry the maintainers' own gosec suppressions, each with a rationale comment asserting the URL is trusted:
  • discovery.go:165 -- resp, err := client.Do(req) // #nosec G704 -- targetURI is the MCP server endpoint URL from internal config
  • discovery.go:219 -- resp, err := client.Do(req) // #nosec G704 -- uri is built from the MCP server endpoint for auth discovery
  • discovery.go:931 -- resp, err := client.Do(req) // #nosec G704 -- URL is the OIDC well-known metadata endpoint
gosec's G704 is its SSRF taint-analysis rule: it flags exactly this pattern, an HTTP request whose URL flows from external input. The suppressions dismiss it on the premise that the URL comes "from internal config" or is "the MCP server endpoint." That premise is the bug. The targetURI is the remote MCP server endpoint, and the resource metadata URL at line 931 comes straight from the server's WWW-Authenticate header (parsed by ParseWWWAuthenticate, discovery.go:293; resource metadata extracted at discovery.go:315). Under ToolHive's own threat model the remote MCP server is untrusted, so "the MCP server endpoint" is attacker-controlled input, not internal config. A parallel cluster of //nolint:gosec // G706 (log-injection) suppressions on the same discovery responses (discovery.go:212, 221, 240, 268, 273, 280) shows the same data being treated as trusted throughout this code path. The maintainers saw the taint-analysis warning on these requests and waved it through on a trust assumption that contradicts the project's design.

Relationship to existing reports

This is distinct from issue #5135 (DCR resolver SSRF). #5135 is scoped to the DCR registration client, which already refuses redirects: client.CheckRedirect = errDCRRedirectRefused (pkg/auth/dcr/resolver.go:1281), with an in-code comment explaining that the wrapping client "refuses to follow HTTP redirects ... never for a redirected request whose URL the upstream chose" (resolver.go:1240). The discovery sinks below set no CheckRedirect and no private-IP guard, and are reached by a different path (the WWW-Authenticate resource metadata discovery and the OIDC issuer discovery). The project demonstrably understands that redirect-following to an upstream-chosen URL is dangerous and guarded the DCR client against it; it left the discovery clients open. Fixing #5135 does not address them.
This is also distinct from GHSA-pph6-vfjv-vpjw (published 2026-06-04), which reports that the IsPrivateIP guard itself misses the IPv6 NAT64 ranges and so requires a NAT64/DNS64 gateway to reach internal addresses. The finding here does not depend on that guard's completeness: the discovery clients never call IsPrivateIP at all, so the host fetches 169.254.169.254 directly on any deployment, with no NAT64 dependency, and additionally follows redirects. The NAT64 fix to IsPrivateIP does not protect these clients because they do not use the guard.

Details

  1. remote.Handler.Authenticate calls discovery.DetectAuthenticationFromServer (pkg/auth/remote/handler.go:62), which issues a GET to the remote URL (client built at discovery.go:93 with no CheckRedirect; request at discovery.go:165).
  2. A 401 with WWW-Authenticate: Bearer ... resource metadata="<url>" is parsed by ParseWWWAuthenticate (discovery.go:293), and the server-supplied resource metadata value is stored (discovery.go:315).
  3. tryDiscoverFromResourceMetadata calls FetchResourceMetadata (handler.go:411, discovery.go:899). That client is built with no CheckRedirect and no private-IP dialer guard (discovery.go:916) and issues client.Do(GET <attacker url>) (discovery.go:931). FetchResourceMetadata requires the initial metadata URL to use HTTPS (discovery.go:911), but that check runs once on the supplied URL only; the client then follows the 302 Location to any scheme and any address with no re-validation.
  4. The OIDC issuer discovery path (.well-known/openid-configuration, .well-known/oauth-authorization-server) and the well-known existence probe (discovery.go:219) use the same unguarded client pattern.

Proof of concept (reproduced; recording available)

The attacker is the remote MCP server, not a URL the victim chooses. The victim connects to a server they intend to use (from a registry, a shared config, or a previously-legitimate endpoint that was later compromised) and the entire attack lives in that server's discovery response.
  1. A remote MCP server the victim has added responds to discovery with 401 WWW-Authenticate: Bearer realm="x", resource metadata="https://<server>/.well-known/oauth-protected-resource" (HTTPS, so it passes the discovery.go:911 scheme check), and returns 302 Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> for that metadata URL. In the recording a loopback mock instance-metadata service stands in for 169.254.169.254 to avoid touching a real cloud account; the ToolHive code path is identical on a cloud instance, where the same redirect reaches the real metadata endpoint with no extra precondition.
  2. The victim runs that server the normal way: thv run <remote-mcp-server> --remote-auth. ToolHive performs the auth discovery automatically; the victim never targets an internal address.
  3. Observed: ToolHive's host process fetches the server-supplied resource metadata URL and follows the 302 to the internal metadata path with no address filtering. The mock instance-metadata service received the request from ToolHive's Go HTTP client (Go-http-client/1.1) and returned a Metadata-Flavor header with IAM credentials, confirming the host follows the server-controlled redirect to an internal endpoint. The proven primitive is "the ToolHive host issues a GET to a server-controlled internal address and follows redirects with no filtering." On an instance with AWS IMDSv1 enabled that primitive returns IAM credentials directly, since IMDSv1 answers a plain GET. IMDSv2 (token via PUT plus a header) and GCP (Metadata-Flavor header) are not reachable by a redirect-following GET, so on those the reachable impact is the broader internal-GET surface: internal-only HTTP services, IMDSv1 where still enabled, link-local and RFC1918 endpoints, and reachability or error oracles.

Impact

A remote MCP server forces the host to issue arbitrary internal GET requests with redirect following and no address filtering. The host-side reach is the proven impact: internal-only services not exposed to the network, link-local and RFC1918 endpoints, and reachability or error oracles. On instances with AWS IMDSv1 enabled the request to 169.254.169.254 returns IAM credentials directly. Because the discovery runs in the host process and not in the per-server container, this is exactly the reach that the MCP server's own container sandbox is designed to deny.

Suggested fix

Apply the DCR client's hardening to the discovery clients: set CheckRedirect to reject cross-host or scheme-downgrade redirects, and wrap DialContext with the project's existing IsPrivateIP guard (pkg/networking/utilities.go:105) for FetchResourceMetadata, DetectAuthenticationFromServer, and the issuer-discovery client. Re-validating the redirect target, not only the initial URL, is the load-bearing part: the discovery.go:911 HTTPS check is bypassed by a 302 from an HTTPS metadata URL to an internal http address.

Verification status

The resource metadata path was dynamically reproduced with a recording (against commit 05f11b53; the sink code at HEAD b672d82f is source-identical, with the unguarded clients and the three #nosec G704 suppressions confirmed present). The OIDC issuer discovery path is confirmed by source review against the same unguarded client and is in scope of the same fix.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58196
GHSA-PR64-JMMF-JP54

Affected Products

Github.Com/Stacklok/Toolhive