HIGH 7.2

CVE-2026-45609: SSRF in mcp-security Dynamic Client Registration

mcp-security, a Spring AI component that manages security and authorization for the Model Context Protocol, contains a Server-Side Request Forgery (SSRF) vulnerability in versions before 0.1.9. When Dynamic Client Registration is enabled, the framework processes OAuth discovery and metadata URLs without properly validating them, allowing an attacker to redirect requests to internal network resources or malicious endpoints. This could lead to information disclosure or unauthorized actions on systems the application can reach.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-918
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

mcp-security provides Security and Authorization support for Model Context Protocol in Spring AI. Prior to 0.1.9, the mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. This only affects installations with Dynamic Client Registration (DCR) enabled This vulnerability is fixed in 0.1.9.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45609 is an SSRF vulnerability in mcp-security's OAuth discovery flow. The vulnerability stems from insufficient input validation on URLs used during Dynamic Client Registration (DCR). The framework fails to implement the mandatory SSRF mitigations specified in the Model Context Protocol security guidelines, specifically neglecting to verify whether target URLs point to internal resources or known-malicious endpoints before making HTTP requests. An unauthenticated network attacker can exploit this by crafting a malicious OAuth metadata URL that causes the application to make requests to internal systems, potentially exfiltrating sensitive configuration or credentials.

Business impact

Organizations using mcp-security with DCR enabled face exposure of internal network topology, cloud metadata endpoints, or sensitive application configurations. An attacker could leverage this to discover internal services, bypass firewall controls, or pivot to backend systems. In a Spring AI deployment context, this could compromise AI model inference infrastructure or connected data repositories. The impact is particularly acute in containerized or cloud-native environments where metadata services are readily accessible.

Affected systems

The vulnerability affects mcp-security versions prior to 0.1.9. Only installations with Dynamic Client Registration enabled are vulnerable. This applies to Spring AI deployments that use mcp-security for OAuth-based authorization flows. Version 0.1.9 and later contain the fix.

Exploitability

Exploitation requires network access to the vulnerable application but no authentication or user interaction. The attack surface is present wherever an attacker can influence OAuth discovery metadata URLs—typically through configuration manipulation, redirect attacks, or compromised discovery endpoints. The CVSS 3.1 score of 7.2 reflects the network-accessible nature, low complexity, and lack of privilege requirements, though confidentiality and integrity impacts are partial rather than complete.

Remediation

Upgrade mcp-security to version 0.1.9 or later immediately. If DCR is not required, disable it to eliminate the attack vector pending patching. Review OAuth configuration to ensure metadata endpoints are hardcoded to trusted sources rather than user-supplied or environment-variable-driven URLs.

Patch guidance

Apply the official patch by updating mcp-security to 0.1.9 via your Maven or Gradle dependency manager. Verify the patch is in place by confirming the mcp-security version in your application's dependency tree (e.g., `mvn dependency:tree | grep mcp-security`). No additional configuration changes are required post-patch, though you should audit your OAuth DCR settings to ensure they reference only trusted issuers.

Detection guidance

Monitor HTTP request logs for unexpected outbound connections from your Spring AI application to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or to cloud metadata endpoints (169.254.169.254 for AWS, GCP metadata service). Check application configuration files and environment variables for Dynamic Client Registration settings and verify that DCR discovery URLs are hardcoded and trusted. Correlate suspicious URL patterns in access logs with recent DCR configuration changes or deployments.

Why prioritize this

This vulnerability should be prioritized if your organization runs Spring AI with mcp-security and DCR enabled. The network-accessible exploitation path, combined with the ease of triggering metadata discovery, makes it a realistic attack vector. The partial confidentiality and integrity impacts justify urgent patching. If DCR is not in active use, remediation can be scheduled within a standard maintenance window but should not be deferred beyond your next release cycle.

Risk score, explained

The CVSS 3.1 score of 7.2 (HIGH) reflects: network accessibility (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and scope change (S:C) allowing an attacker to reach resources beyond the vulnerable component. Confidentiality and integrity are partially compromised (C:L, I:L) through internal resource access and potential metadata manipulation, but availability is not impacted (A:N). The score accurately captures the risk posed by an unauthenticated SSRF in a network-facing service.

Frequently asked questions

Do we need to patch if Dynamic Client Registration is disabled?

Disabling DCR effectively mitigates this vulnerability because the SSRF vector is specific to the DCR discovery flow. However, upgrading to 0.1.9 is still recommended to avoid accidental re-enablement and to ensure defense-in-depth. Check your Spring AI configuration to confirm DCR is explicitly disabled.

Can internal firewalls prevent this attack?

Properly configured network segmentation and egress filtering can reduce—but not eliminate—risk. If your Spring AI application is restricted from reaching internal networks, the SSRF impact is limited. However, the vulnerability still allows probing of cloud metadata services or external malicious endpoints, so patching is preferable to relying solely on network controls.

What is the difference between this and a typical SSRF?

This SSRF is embedded in OAuth machinery rather than generic web request handling. The attacker's control surface is narrower—they must influence or intercept OAuth metadata URLs—but the impact can be deeper because DCR is a trust boundary. Modern deployments often automate DCR configuration, increasing the risk that a malicious or misconfigured metadata endpoint goes undetected.

How quickly should we deploy the patch?

If DCR is enabled, treat this as urgent and schedule patching within 30 days. The ease of exploitation and the breadth of internal resources that could be exposed justifies prioritization. If DCR is disabled, incorporate 0.1.9 into your next planned release cycle within 90 days.

This analysis is provided for informational purposes based on publicly disclosed vulnerability data. Organizations should verify applicability to their specific mcp-security version and Spring AI deployment configuration. Patch version numbers and remediation guidance should be cross-referenced with official Spring AI and mcp-security release notes before implementation. SEC.co assumes no liability for deployment outcomes or security incidents. Always test patches in non-production environments first and follow your organization's change management procedures. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).