PatchSiren cyber security CVE debrief
CVE-2026-45609 spring-ai-community CVE debrief
A Server-Side Request Forgery (SSRF) vulnerability exists in the mcp-security framework for Spring AI's Model Context Protocol (MCP) implementation. The framework fails to validate untrusted URLs during OAuth-related discovery and metadata retrieval, allowing attackers to induce the server to make requests to malicious or internal network targets. This vulnerability is only exploitable when Dynamic Client Registration (DCR) is enabled. The issue stems from missing mandatory SSRF mitigations specified in MCP security specifications. Attackers can leverage this to probe internal infrastructure, access metadata services, or interact with restricted network segments. The CVSS v3.1 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and changed scope with low confidentiality and integrity impact.
- Vendor
- spring-ai-community
- Product
- mcp-security
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running Spring AI applications with mcp-security framework and Dynamic Client Registration enabled; security teams responsible for MCP implementations; developers building AI agent systems using Model Context Protocol; infrastructure teams managing OAuth and identity federation services
Technical summary
The mcp-security framework (versions prior to 0.1.9) for Spring AI's Model Context Protocol implementation contains a Server-Side Request Forgery vulnerability. When Dynamic Client Registration is enabled, the framework processes untrusted URLs for OAuth discovery and metadata without implementing required SSRF protections from the MCP security specifications. This allows attackers to manipulate URLs to target internal services, cloud metadata endpoints, or other restricted resources. The vulnerability is classified as CWE-918 and carries a HIGH severity CVSS 7.2 score. Remediation requires upgrading to version 0.1.9 or disabling DCR functionality.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade mcp-security to version 0.1.9 or later to remediate this vulnerability
- Disable Dynamic Client Registration (DCR) if not required for business operations as an interim mitigation
- Implement network egress filtering to restrict outbound connections from application servers hosting mcp-security
- Deploy SSRF protection mechanisms including URL validation, allowlist-based destination controls, and DNS rebinding protections
- Monitor application logs for anomalous outbound requests to unexpected internal or external destinations
- Review OAuth discovery endpoint configurations to ensure only trusted URLs are processed
- Conduct security assessment of MCP implementation to verify compliance with MCP security specifications
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-qjp4-4jvr-xqg3. CWE-918 (Server-Side Request Forgery) classified as primary weakness. Fixed in version 0.1.9.
Official resources
-
CVE-2026-45609 CVE record
CVE.org
-
CVE-2026-45609 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29