Skip to main content

ToolHive CVE-2026-58196

LOW
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-15 https://github.com/stacklok/toolhive GHSA-pr64-jmmf-jp54
4.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
vuln.today AI
4.7 MEDIUM

Network attacker controls the MCP server; victim must run it (UI:R); scope changes as host escapes container isolation; confidentiality low as base (internal GET oracle), elevated to H situationally on IMDSv1 instances.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 16, 2026 - 00:01 vuln.today
Analysis Generated
Jul 16, 2026 - 00:01 vuln.today

DescriptionGitHub Advisory

Security Advisory: SSRF in remote MCP server authentication discovery

Severity: High. CWE: CWE-918. Affected: ToolHive through the latest release v0.29.3 and current main (HEAD b672d82f, 2026-06-12; re-verified 2026-06-14). FetchResourceMetadata and the discovery clients remain unguarded; no commits to pkg/auth/discovery or pkg/auth/remote address this. Originally identified at commit 05f11b53; all line references below are against HEAD b672d82f.

Summary

ToolHive's remote MCP server authentication discovery issues outbound HTTP requests to URLs the remote MCP server controls, with no private-IP or loopback guard and no restriction on redirects. ToolHive's core security model treats every MCP server as untrusted: the README states it "runs every MCP server in an isolated container" with "no local credentials," and it ships an egress proxy for network isolation. This discovery code runs host-side, in the ToolHive process, before and outside that per-server container sandbox. A malicious or compromised remote MCP server, added by a user through ToolHive's normal remote-server workflow, can therefore drive the ToolHive host itself to fetch arbitrary internal URLs, including cloud instance metadata, which bypasses the isolation ToolHive exists to provide. The user never selects a malicious target; they connect to a server they intend to use, and the attack is carried entirely in that server's discovery response.

ToolHive already establishes this boundary in code. ValidateRemoteURL (cmd/thv-operator/pkg/validation/url_validation.go:61) rejects internal IPs and known internal hostnames for the configured remote URL, and IsPrivateIP (pkg/networking/utilities.go:105) blocks RFC1918, link-local, 169.254.0.0/16, and loopback for outbound requests. The discovery clients below never call either guard, and the attacker-supplied resource_metadata URL and its redirect target are validated by neither. This is a deviation from the project's intended behavior, not a configuration choice by the operator.

The discovery clients are explicitly marked as trusted

The three outbound requests in this finding carry the maintainers' own gosec suppressions, each with a rationale comment asserting the URL is trusted:

  • discovery.go:165 -- resp, err := client.Do(req) // #nosec G704 -- targetURI is the MCP server endpoint URL from internal config
  • discovery.go:219 -- resp, err := client.Do(req) // #nosec G704 -- uri is built from the MCP server endpoint for auth discovery
  • discovery.go:931 -- resp, err := client.Do(req) // #nosec G704 -- URL is the OIDC well-known metadata endpoint

gosec's G704 is its SSRF taint-analysis rule: it flags exactly this pattern, an HTTP request whose URL flows from external input. The suppressions dismiss it on the premise that the URL comes "from internal config" or is "the MCP server endpoint." That premise is the bug. The targetURI is the remote MCP server endpoint, and the resource_metadata URL at line 931 comes straight from the server's WWW-Authenticate header (parsed by ParseWWWAuthenticate, discovery.go:293; resource_metadata extracted at discovery.go:315). Under ToolHive's own threat model the remote MCP server is untrusted, so "the MCP server endpoint" is attacker-controlled input, not internal config. A parallel cluster of //nolint:gosec // G706 (log-injection) suppressions on the same discovery responses (discovery.go:212, 221, 240, 268, 273, 280) shows the same data being treated as trusted throughout this code path. The maintainers saw the taint-analysis warning on these requests and waved it through on a trust assumption that contradicts the project's design.

Relationship to existing reports

This is distinct from issue #5135 (DCR resolver SSRF). #5135 is scoped to the DCR registration client, which already refuses redirects: client.CheckRedirect = errDCRRedirectRefused (pkg/auth/dcr/resolver.go:1281), with an in-code comment explaining that the wrapping client "refuses to follow HTTP redirects ... never for a redirected request whose URL the upstream chose" (resolver.go:1240). The discovery sinks below set no CheckRedirect and no private-IP guard, and are reached by a different path (the WWW-Authenticate resource_metadata discovery and the OIDC issuer discovery). The project demonstrably understands that redirect-following to an upstream-chosen URL is dangerous and guarded the DCR client against it; it left the discovery clients open. Fixing #5135 does not address them.

This is also distinct from GHSA-pph6-vfjv-vpjw (published 2026-06-04), which reports that the IsPrivateIP guard itself misses the IPv6 NAT64 ranges and so requires a NAT64/DNS64 gateway to reach internal addresses. The finding here does not depend on that guard's completeness: the discovery clients never call IsPrivateIP at all, so the host fetches 169.254.169.254 directly on any deployment, with no NAT64 dependency, and additionally follows redirects. The NAT64 fix to IsPrivateIP does not protect these clients because they do not use the guard.

Details

  1. remote.Handler.Authenticate calls discovery.DetectAuthenticationFromServer (pkg/auth/remote/handler.go:62), which issues a GET to the remote URL (client built at discovery.go:93 with no CheckRedirect; request at discovery.go:165).
  2. A 401 with WWW-Authenticate: Bearer ... resource_metadata="<url>" is parsed by ParseWWWAuthenticate (discovery.go:293), and the server-supplied resource_metadata value is stored (discovery.go:315).
  3. tryDiscoverFromResourceMetadata calls FetchResourceMetadata (handler.go:411, discovery.go:899). That client is built with no CheckRedirect and no private-IP dialer guard (discovery.go:916) and issues client.Do(GET <attacker url>) (discovery.go:931). FetchResourceMetadata requires the initial metadata URL to use HTTPS (discovery.go:911), but that check runs once on the supplied URL only; the client then follows the 302 Location to any scheme and any address with no re-validation.
  4. The OIDC issuer discovery path (.well-known/openid-configuration, .well-known/oauth-authorization-server) and the well-known existence probe (discovery.go:219) use the same unguarded client pattern.

Proof of concept (reproduced; recording available)

The attacker is the remote MCP server, not a URL the victim chooses. The victim connects to a server they intend to use (from a registry, a shared config, or a previously-legitimate endpoint that was later compromised) and the entire attack lives in that server's discovery response.

  1. A remote MCP server the victim has added responds to discovery with 401 WWW-Authenticate: Bearer realm="x", resource_metadata="https://<server>/.well-known/oauth-protected-resource" (HTTPS, so it passes the discovery.go:911 scheme check), and returns 302 Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> for that metadata URL. In the recording a loopback mock instance-metadata service stands in for 169.254.169.254 to avoid touching a real cloud account; the ToolHive code path is identical on a cloud instance, where the same redirect reaches the real metadata endpoint with no extra precondition.
  2. The victim runs that server the normal way: thv run <remote-mcp-server> --remote-auth. ToolHive performs the auth discovery automatically; the victim never targets an internal address.
  3. Observed: ToolHive's host process fetches the server-supplied resource_metadata URL and follows the 302 to the internal metadata path with no address filtering. The mock instance-metadata service received the request from ToolHive's Go HTTP client (Go-http-client/1.1) and returned a Metadata-Flavor header with IAM credentials, confirming the host follows the server-controlled redirect to an internal endpoint. The proven primitive is "the ToolHive host issues a GET to a server-controlled internal address and follows redirects with no filtering." On an instance with AWS IMDSv1 enabled that primitive returns IAM credentials directly, since IMDSv1 answers a plain GET. IMDSv2 (token via PUT plus a header) and GCP (Metadata-Flavor header) are not reachable by a redirect-following GET, so on those the reachable impact is the broader internal-GET surface: internal-only HTTP services, IMDSv1 where still enabled, link-local and RFC1918 endpoints, and reachability or error oracles.

Impact

A remote MCP server forces the host to issue arbitrary internal GET requests with redirect following and no address filtering. The host-side reach is the proven impact: internal-only services not exposed to the network, link-local and RFC1918 endpoints, and reachability or error oracles. On instances with AWS IMDSv1 enabled the request to 169.254.169.254 returns IAM credentials directly. Because the discovery runs in the host process and not in the per-server container, this is exactly the reach that the MCP server's own container sandbox is designed to deny.

Suggested fix

Apply the DCR client's hardening to the discovery clients: set CheckRedirect to reject cross-host or scheme-downgrade redirects, and wrap DialContext with the project's existing IsPrivateIP guard (pkg/networking/utilities.go:105) for FetchResourceMetadata, DetectAuthenticationFromServer, and the issuer-discovery client. Re-validating the redirect target, not only the initial URL, is the load-bearing part: the discovery.go:911 HTTPS check is bypassed by a 302 from an HTTPS metadata URL to an internal http address.

Verification status

The resource_metadata path was dynamically reproduced with a recording (against commit 05f11b53; the sink code at HEAD b672d82f is source-identical, with the unguarded clients and the three #nosec G704 suppressions confirmed present). The OIDC issuer discovery path is confirmed by source review against the same unguarded client and is in scope of the same fix.

AnalysisAI

Server-Side Request Forgery in ToolHive's host-side authentication discovery flow allows a malicious or compromised remote MCP server to force the ToolHive host process to issue arbitrary internal HTTP GET requests with redirect following and no address filtering, bypassing the container isolation that ToolHive is architecturally designed to enforce. Affected versions include all releases through v0.29.3 (commit b672d82f confirmed 2026-06-14); the fix is available in v0.31.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Add malicious MCP server to ToolHive
Delivery
Victim runs server with remote-auth flag
Exploit
Server returns 401 with crafted WWW-Authenticate resource_metadata URL
Install
ToolHive fetches HTTPS resource_metadata endpoint
C2
Server returns 302 redirect to internal address
Execute
Host process follows redirect with no address filtering
Impact
Internal endpoint (e.g., IMDSv1) returns sensitive data to attacker

Vulnerability AssessmentAI

Exploitation The victim must add the attacker-controlled or compromised remote MCP server to their ToolHive configuration and run it using the remote authentication workflow (thv run <remote-mcp-server> --remote-auth or equivalent), which triggers the authentication discovery flow. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.7 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N) underrepresents real-world impact on cloud-hosted deployments with AWS IMDSv1 enabled, where the SSRF primitive directly returns IAM role credentials via a single redirect-following GET - an outcome closer to C:H in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operates or has compromised a remote MCP server listed in a shared registry or team configuration; when a ToolHive user runs that server with remote authentication enabled, the server responds to the authentication discovery probe with a 401 containing WWW-Authenticate: Bearer resource_metadata='https://attacker.example/.well-known/oauth-protected-resource', which passes ToolHive's HTTPS scheme check at discovery.go:911. The attacker's HTTPS endpoint immediately returns HTTP 302 Location: http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name; ToolHive's unguarded discovery HTTP client follows the redirect without address filtering, delivering the request to the cloud metadata service. …
Remediation Upgrade ToolHive to v0.31.0, which is the vendor-released patched version per the package fix data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy