Skip to main content

Spring AI MCP Security EUVDEUVD-2026-33323

| CVE-2026-45609 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-18 https://github.com/spring-ai-community/mcp-security GHSA-qjp4-4jvr-xqg3
7.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 14:00 vuln.today
Analysis Generated
May 18, 2026 - 14:00 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.springaicommunity:mcp-client-security (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.1.9.

DescriptionGitHub Advisory

Summary

The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network.

This only affects installations with Dynamic Client Registration (DCR) enabled:

properties
spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true

DCR does not validate URLs exposed by MCP Servers (protected resource metadata URL, authorization server URL) and Authorization Servers (all OAuth2 endpoints).

Workaround

When users need to perform DCR, they may provide their own McpOAuth2ClientManager. Both McpMetadataDiscoveryService and DynamicClientRegistrationService are also affected, if used, users should provide their own subclasses.

Alternatively, users can provide the default implementations of these classes with a RestClient that implements URL filtering through ClientHttpRequestInterceptor.

AnalysisAI

Server-Side Request Forgery in the Spring AI Community mcp-security framework (org.springaicommunity:mcp-client-security versions before 0.1.9) allows remote attackers to coerce the MCP client into issuing HTTP requests to attacker-chosen URLs, including internal network targets. The flaw resides in the OAuth2 Dynamic Client Registration (DCR) flow, which fetches metadata and authorization-server URLs without validating them against SSRF protections required by the MCP security specification. No public exploit identified at time of analysis, but a vendor-confirmed patch is available in version 0.1.9.

Technical ContextAI

The affected component is org.springaicommunity:mcp-client-security, a Spring AI Community library that implements OAuth2 client functionality for the Model Context Protocol (MCP). MCP defines a Dynamic Client Registration flow where the client retrieves protected-resource-metadata URLs from MCP Servers and OAuth2 endpoint URLs (token, authorization, registration) from Authorization Servers. The vulnerable McpMetadataDiscoveryService and DynamicClientRegistrationService classes consume those URLs and dispatch HTTP requests via a Spring RestClient without applying the SSRF mitigations the MCP specification mandates (mitigation-3). This is a textbook CWE-918 Server-Side Request Forgery: untrusted input from an external party becomes the destination of a server-originated request, which an attacker can redirect to internal services (cloud metadata endpoints, intranet hosts, loopback admin interfaces). The fix introduces a new UrlValidator interface with a DefaultUrlValidator that enforces HTTPS, blocks loopback addresses by default, and adds a configuration property spring.ai.mcp.client.authorization.dynamic-client-registration.allow-loopback-addresses for development overrides.

RemediationAI

Vendor-released patch: 0.1.9 - upgrade org.springaicommunity:mcp-client-security to 0.1.9 or later, which adds a UrlValidator that enforces HTTPS and rejects loopback addresses by default for all DCR-related URLs (see https://github.com/spring-ai-community/mcp-security/pull/68 and commit e6b67d8a67cd7acbee6e4c0741c385d62e3ed576). If immediate upgrade is not possible, the vendor-documented workarounds are to disable Dynamic Client Registration by setting spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=false (this removes the ability to auto-register clients and will require a single statically configured ClientRegistration or a custom OAuth2HttpClientTransportCustomizer bean), or to supply a custom McpOAuth2ClientManager bean - and custom subclasses of McpMetadataDiscoveryService and DynamicClientRegistrationService if they are used directly - backed by a RestClient with a ClientHttpRequestInterceptor that performs egress filtering against an allowlist of permitted hosts. At the network layer, restrict outbound traffic from the MCP client process to known authorization-server hosts only, denying access to RFC1918 ranges, link-local 169.254.169.254 (cloud IMDS), and loopback to blunt SSRF impact even if the application-layer fix is delayed. Full advisory: https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-33323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy