Description
FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery and local file read
Action: Immediate Patch
AI Analysis

Impact

FrontMCP’s mcp‑from‑openapi library uses a JSON schema parser that dereferences $ref pointers in OpenAPI specifications without any URL restrictions or custom resolvers. When fed an untrusted specification, the parser automatically fetches the resources referenced by $ref, which can point to internal network addresses, cloud metadata endpoints, or local files. This flaw enables a malicious actor to trigger Server‑Side Request Forgery (SSRF) and read arbitrary files on the server during the library’s initialization. The weakness is a typical example of CWE‑918, exposing the application to confidentiality and potential network-breach risks.

Affected Systems

Vulnerable versions of the FrontMCP framework include the adapters, SDK, agentfront frontmcp, and mcp‑from‑openapi components. All releases prior to version 2.3.0 of the mcp‑from‑openapi library are affected, regardless of the hosting environment. Users deploying FrontMCP with any older mcp‑from‑openapi package should consider the risk.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is classified as high severity. No EPSS score is available and the issue is not listed in CISA’s KEV catalog. Exploitation requires an attacker who can supply a malicious OpenAPI specification to the initialize() call, meaning the attack surface is limited to environments where untrusted specs may be processed or distributed. If such input can be controlled, the attacker can cause outbound network traffic or read sensitive files, potentially leading to broader compromise.

Generated by OpenCVE AI on April 8, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the mcp‑from‑openapi library to version 2.3.0 or later.
  • If upgrading is not immediately possible, configure a custom resolver or apply URL restrictions to the json‑schema‑ref‑parser so that $ref dereferencing is limited to trusted sources.
  • Validate and sanitize all OpenAPI specifications before passing them to the initialize() routine.
  • Monitor application logs for unexpected outbound requests or file‑read patterns to detect potential exploitation attempts.

Generated by OpenCVE AI on April 8, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v6ph-xcq9-qxxj mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications
History

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Agentfront
Agentfront frontmcp
Frontmcp
Frontmcp mcp-from-openapi
Vendors & Products Agentfront
Agentfront frontmcp
Frontmcp
Frontmcp mcp-from-openapi

Wed, 08 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.
Title FrontMCP Affected by SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Agentfront Frontmcp
Frontmcp Mcp-from-openapi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:16:59.067Z

Reserved: 2026-04-07T20:32:03.010Z

Link: CVE-2026-39885

cve-icon Vulnrichment

Updated: 2026-04-09T14:53:28.220Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T21:17:00.833

Modified: 2026-04-09T17:16:29.533

Link: CVE-2026-39885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:16Z

Weaknesses