{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39885", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T20:32:03.010Z", "datePublished": "2026-04-08T20:34:20.538Z", "dateUpdated": "2026-04-09T16:16:59.067Z"}, "containers": {"cna": {"title": "FrontMCP Affected by SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj"}, {"name": "https://github.com/agentfront/frontmcp/releases/tag/v1.0.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/agentfront/frontmcp/releases/tag/v1.0.4"}], "affected": [{"vendor": "agentfront", "product": "frontmcp", "versions": [{"version": "< 1.0.4", "status": "affected"}]}, {"vendor": "@frontmcp", "product": "adapters", "versions": [{"version": "< 1.0.4", "status": "affected"}]}, {"vendor": "@frontmcp", "product": "sdk", "versions": [{"version": "< 1.0.4", "status": "affected"}]}, {"vendor": "frontmcp", "product": "mcp-from-openapi", "versions": [{"version": "< 2.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:34:20.538Z"}, "descriptions": [{"lang": "en", "value": "FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0."}], "source": {"advisory": "GHSA-v6ph-xcq9-qxxj", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:53:12.471902Z", "id": "CVE-2026-39885", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:16:59.067Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0."}], "id": "CVE-2026-39885", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T21:17:00.833", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/agentfront/frontmcp/releases/tag/v1.0.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "frontmcp", "source": "cna", "vendor": "agentfront"}, "product": "frontmcp", "vendor": "agentfront"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mcp-from-openapi", "source": "cna", "vendor": "frontmcp"}, "product": "mcp-from-openapi", "vendor": "frontmcp"}], "analysis": {"en": {"generated_at": "2026-04-08T21:20:31.026506+00:00", "value": {"mitigation_remediation": ["Upgrade the mcp\u2011from\u2011openapi library to version\u00a02.3.0 or later.", "If upgrading is not immediately possible, configure a custom resolver or apply URL restrictions to the json\u2011schema\u2011ref\u2011parser so that $ref dereferencing is limited to trusted sources.", "Validate and sanitize all OpenAPI specifications before passing them to the initialize() routine.", "Monitor application logs for unexpected outbound requests or file\u2011read patterns to detect potential exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery and local file read"}, "threat_synthesis": {"affected_systems": "Vulnerable versions of the FrontMCP framework include the adapters, SDK, agentfront frontmcp, and mcp\u2011from\u2011openapi components. All releases prior to version\u00a02.3.0 of the mcp\u2011from\u2011openapi library are affected, regardless of the hosting environment. Users deploying FrontMCP with any older mcp\u2011from\u2011openapi package should consider the risk.", "description_and_impact": "FrontMCP\u2019s mcp\u2011from\u2011openapi library uses a JSON schema parser that dereferences $ref pointers in OpenAPI specifications without any URL restrictions or custom resolvers. When fed an untrusted specification, the parser automatically fetches the resources referenced by $ref, which can point to internal network addresses, cloud metadata endpoints, or local files. This flaw enables a malicious actor to trigger Server\u2011Side Request Forgery (SSRF) and read arbitrary files on the server during the library\u2019s initialization. The weakness is a typical example of CWE\u2011918, exposing the application to confidentiality and potential network-breach risks.", "risk_and_exploitability": "With a CVSS score of 7.5 the vulnerability is classified as high severity. No EPSS score is available and the issue is not listed in CISA\u2019s KEV catalog. Exploitation requires an attacker who can supply a malicious OpenAPI specification to the initialize() call, meaning the attack surface is limited to environments where untrusted specs may be processed or distributed. If such input can be controlled, the attacker can cause outbound network traffic or read sensitive files, potentially leading to broader compromise."}}}}, "created": "2026-04-09T08:17:53.464809+00:00", "updated": "2026-04-09T08:27:16.825726+00:00", "vendors": ["agentfront", "agentfront$PRODUCT$frontmcp", "frontmcp", "frontmcp$PRODUCT$mcp-from-openapi"]}