CVE-2026-45609

EPSS 0.2%
Veröffentlicht 29.05.2026 13:48:06
Zuletzt bearbeitet 03.06.2026 14:08:48
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

mcp-security: Unvalidated URL Fetching (SSRF)

mcp-security provides Security and Authorization support for Model Context Protocol in Spring AI. Prior to 0.1.9, the mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. This only affects installations with Dynamic Client Registration (DCR) enabled This vulnerability is fixed in 0.1.9.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Springaicommunity ≫ Mcp Security Version >= 0.1.0 < 0.1.9

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.096

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com	7.2	3.9	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-45609

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-45609

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-45609

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-45609