Spring AI MCP Security, SSRF via DCR, CVE-2026-XXXX (Critical)

Listen to this Post

This vulnerability allows a malicious MCP client to force the authorization server to make arbitrary HTTP requests. The root cause is the absence of URL validation within the Dynamic Client Registration (DCR) process, which is explicitly enabled via the `spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=true` property.
When DCR is enabled, the MCP client consumes untrusted URLs from MCP Servers (e.g., the protected resource metadata URL, authorization server URL) and Authorization Servers (all OAuth2 endpoints) as part of the standard OAuth discovery and registration flow. The `mcp-security` framework directly uses these unverified user inputs to construct and dispatch outbound HTTP requests without a filter. This processing occurs within the affected `McpMetadataDiscoveryService` and `DynamicClientRegistrationService` classes.
An attacker can exploit this by hosting a malicious MCP server or a rogue Authorization Server. When a vulnerable MCP client connects to it, the attacker provides a specially crafted URL pointing to an internal network resource, such as http://169.254.169.254/latest/meta-data/` (IMDS endpoint) orhttp://localhost:8080/admin`. The framework then sends a request to this internal address, acting as a confused deputy. This SSRF attack enables the attacker to bypass network firewalls, scan internal ports, read instance metadata credentials, or interact with internal HTTP services that are not intended for external access. The official workaround involves manually implementing URL filtering through a ClientHttpRequestInterceptor.

dailycve form:

Platform: `Spring AI`
Version: `mcp-security 0.0.x`
Vulnerability: `SSRF via DCR`
Severity: `Critical`
date: `2025-09-22`

Prediction: `2025-10-15`

What Undercode Say:

Analytics show this vulnerability significantly elevates risk in shared cloud environments. The absence of SSRF filtering in the DCR metadata consumption chain represents a gap between the MCP security specification and its implementation. This configuration is likely prevalent in early-adopter AI agent deployments using dynamic OAuth discovery.

Simulated SSRF test using curl (attacker-controlled server response)
In a real attack, the MCP client would fetch this malicious metadata.
echo '{
"authorization_servers": ["http://169.254.169.254/latest/meta-data/"],
"protected_resource_metadata": "http://internal-admin-service/health"
}' | curl -X POST http://victim-mcp-client.com/register -d @-

Exploit:

  1. Attacker Setup: Host an MCP Server or Authorization Server with malicious metadata URLs pointing to internal resources (e.g., `http://localhost:8080/admin`).
  2. Trigger Discovery: The vulnerable client with DCR enabled connects to the attacker’s server.
  3. SSRF Execution: The client’s `McpMetadataDiscoveryService` blindly fetches the attacker’s URL, sending an internal request.
  4. Data Exfiltration: The response from the internal resource (e.g., AWS IMDS token) is returned to the attacker, completing the breach.

    Protection from this CVE:

    1. Disable DCR immediately if not required: spring.ai.mcp.client.authorization.dynamic-client-registration.enabled=false.

  5. Apply vendor patches upgrading `mcp-security` to a fixed version (expected mid-October 2025).
  6. Implement allow-list-based network egress controls on the client host to block all outbound requests to RFC 1918 addresses.
  7. Deploy a custom `ClientHttpRequestInterceptor` to validate all URL destinations against a trusted domain list.

Impact:

  • Internal Network Scanning: Enumerate open ports and services behind the firewall.
  • Credential Theft: Access cloud metadata APIs (AWS, GCP, Azure) to steal IAM roles and temporary credentials.
  • Privilege Escalation: Interact with internal admin panels, message queues, or CI/CD systems that lack authentication.
  • Availability Risk: Use the client as a proxy to overload internal services or delete resources.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top