CVE-2026-39885 HIGH

CVE-2026-39885: FrontMCP Affected by SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications

Vendor Agentfront
Product frontmcp
Weakness CWE-918 · SSRF
Published April 8, 2026
Last update April 9, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.

Key dates

02Disclosure timeline

April 8, 2026 CVE published
April 9, 2026 Record updated