CVE-2026-45609: Spring AI MCP Security: Unvalidated URL Fetching (SSRF)
(updated )
The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network.
This only affects installations with Dynamic Client Registration (DCR) enabled:
spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true
DCR does not validate URLs exposed by MCP Servers (protected resource metadata URL, authorization server URL) and Authorization Servers (all OAuth2 endpoints).
References
- github.com/advisories/GHSA-qjp4-4jvr-xqg3
- github.com/spring-ai-community/mcp-security/commit/e6b67d8a67cd7acbee6e4c0741c385d62e3ed576
- github.com/spring-ai-community/mcp-security/pull/68
- github.com/spring-ai-community/mcp-security/releases/tag/v0.1.9
- github.com/spring-ai-community/mcp-security/security/advisories/GHSA-qjp4-4jvr-xqg3
- nvd.nist.gov/vuln/detail/CVE-2026-45609
Code Behaviors & Features
Detect and mitigate CVE-2026-45609 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →