{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45609/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mcp-client-security (\u003c 0.1.9)"],"_cs_severities":["high"],"_cs_tags":["ssrf","spring-ai","oauth","cve-2026-45609"],"_cs_type":"advisory","_cs_vendors":["Spring AI Community"],"content_html":"\u003cp\u003eThe mcp-security framework, specifically versions prior to 0.1.9, does not enforce mandatory SSRF mitigations as outlined in the Model Context Protocol (MCP) security specifications. This vulnerability, tracked as CVE-2026-45609, stems from the framework\u0026rsquo;s processing of untrusted URLs for OAuth-related discovery and metadata without proper validation. The issue arises when Dynamic Client Registration (DCR) is enabled, as it fails to validate URLs exposed by MCP Servers (protected resource metadata URL, authorization server URL) and Authorization Servers (all OAuth2 endpoints). This lack of validation allows attackers to potentially manipulate the application into making requests to internal or malicious external servers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Spring AI MCP application with Dynamic Client Registration (DCR) enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL pointing to an internal service or external server.\u003c/li\u003e\n\u003cli\u003eThe attacker provides this malicious URL as part of the DCR process, potentially as the protected resource metadata URL, authorization server URL, or OAuth2 endpoint.\u003c/li\u003e\n\u003cli\u003eThe application, without proper validation, attempts to fetch metadata or interact with the server specified in the malicious URL.\u003c/li\u003e\n\u003cli\u003eIf the URL points to an internal service, the attacker can potentially gain access to sensitive internal resources or configurations.\u003c/li\u003e\n\u003cli\u003eIf the URL points to an external server, the attacker can potentially exfiltrate sensitive data or perform other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application inadvertently makes a request to the attacker-controlled resource.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors access logs on the controlled resource, gathers sensitive data and continues pivoting within the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-45609) could allow an attacker to access internal resources, exfiltrate sensitive data, or perform other malicious actions within the network. While the exact number of affected installations is unknown, any Spring AI MCP application with DCR enabled is potentially vulnerable. This could lead to data breaches, service disruptions, or further compromise of the application and its environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to version 0.1.9 or later of \u003ccode\u003eorg.springaicommunity:mcp-client-security\u003c/code\u003e to patch CVE-2026-45609.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement the workaround suggested by Spring AI Community by providing a custom \u003ccode\u003eMcpOAuth2ClientManager\u003c/code\u003e that includes URL filtering.\u003c/li\u003e\n\u003cli\u003eApply URL filtering through \u003ccode\u003eClientHttpRequestInterceptor\u003c/code\u003e within the \u003ccode\u003eRestClient\u003c/code\u003e used by \u003ccode\u003eMcpMetadataDiscoveryService\u003c/code\u003e and \u003ccode\u003eDynamicClientRegistrationService\u003c/code\u003e to prevent unauthorized URL access.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Spring AI MCP SSRF via DCR\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T13:30:43Z","date_published":"2026-05-18T13:30:43Z","id":"https://feed.craftedsignal.io/briefs/2026-05-spring-ai-ssrf/","summary":"The mcp-security framework fails to implement SSRF mitigations outlined in the Model Context Protocol, processing untrusted URLs for OAuth-related discovery and metadata without verification, affecting installations with Dynamic Client Registration (DCR) enabled and exposing them to potential Server-Side Request Forgery (SSRF) attacks, tracked as CVE-2026-45609.","title":"Spring AI MCP Security Unvalidated URL Fetching (SSRF)","url":"https://feed.craftedsignal.io/briefs/2026-05-spring-ai-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-45609","version":"https://jsonfeed.org/version/1.1"}