EXECUTIVE SUMMARY:
CVE-2026-45609 with a CVSS score of 7.2 is a Server-Side Request Forgery (SSRF) vulnerability in the mcp-security framework, specifically affecting installations with Dynamic Client Registration (DCR) enabled. The affected product is the mcp-client-security package, with impacted versions being less than 0.1.9. The vulnerability arises from the framework's failure to implement mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications, allowing it to process untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. An attacker can exploit this vulnerability by manipulating the URLs exposed by MCP Servers and Authorization Servers, which will be processed by the framework without proper validation, thereby gaining the capability to perform arbitrary requests on behalf of the application. This capability can be used to conduct reconnaissance, extract sensitive information, or even take control of internal systems, resulting in significant business impact and consequences, including unauthorized data disclosure, disruption of business operations, and potential financial loss, contingent upon the attacker having access to the application's configuration files where the DCR is enabled and the `spring.ai.mcp.client.authorization.dynamic-client-registration.enabled` property is set to `true`.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45609 with a CVSS score of 7.2 is a Server-Side Request Forgery (SSRF) vulnerability in the mcp-security framework, specifically affecting installations with Dynamic Client Registration (DCR) enabled. The affected product is the mcp-client-security package, with impacted versions being less than 0.1.9. The vulnerability arises from the framework's failure to implement mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications, allowing it to process untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. An attacker can exploit this vulnerability by manipulating the URLs exposed by MCP Servers and Authorization Servers, which will be processed by the framework without proper validation, thereby gaining the capability to perform arbitrary requests on behalf of the application. This capability can be used to conduct reconnaissance, extract sensitive information, or even take control of internal systems, resulting in significant business impact and consequences, including unauthorized data disclosure, disruption of business operations, and potential financial loss, contingent upon the attacker having access to the application's configuration files where the DCR is enabled and the `spring.ai.mcp.client.authorization.dynamic-client-registration.enabled` property is set to `true`.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-qjp4-4jvr-xqg3