The vulnerability permits an attacker to instruct the mcp‑security component to retrieve content from arbitrary URLs supplied during OAuth discovery and metadata handling. Because no validation is performed, the component can resolve and fetch endpoints that are internal or potentially malicious, leading to exposure of confidential data, manipulation of internal services, or denial of service through resource exhaustion. The weakness is a classic Server‑Side Request Forgery, classified as CWE‑918.

Spring AI Community’s mcp‑security product, versions prior to 0.1.9, is affected when Dynamic Client Registration is enabled. Only installations using older releases of mcp‑security and that have DCR active are vulnerable; other versions or configurations are not impacted.

With a CVSS score of 7.2, the vulnerability is considered high severity. The EPSS score is not reported, but the risk remains significant in environments where mcp‑security processes external URLs. The vulnerability is not listed in the CISA KEV catalog, yet it remains exploitable in any system that permits untrusted URLs when DCR is enabled. Attackers can exploit it by supplying a malicious or internal URL in a request that triggers the OAuth discovery flow, enabling them to reach protected network resources from the server side.