CVE-2026-39885: mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications

April 8, 2026 (updated April 9, 2026)

The mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications.

References

github.com/advisories/GHSA-v6ph-xcq9-qxxj
github.com/agentfront/frontmcp
github.com/agentfront/frontmcp/releases/tag/v1.0.4
github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj
nvd.nist.gov/vuln/detail/CVE-2026-39885

Code Behaviors & Features

Detect and mitigate CVE-2026-39885 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →