Skills
CVE-2026-39885: MCP OpenAPI Library SSRF — Unrestricted $ref Pointer Resolution Enables Internal Network Reconnaissance and Local File Read
Disclosed April 8, CVE-2026-39885 (CVSS 7.5 High) affects the mcp-from-openapi library which uses a JSON schema reference parser to dereference $ref pointers in OpenAPI specifications without URL restrictions. Malicious OpenAPI specs can force the library to fetch resources from internal network addresses, cloud metadata endpoints (e.g., AWS [redacted]), or local files, enabling SSRF and local file read attacks. Any MCP server built from OpenAPI specs using this library is vulnerable. Combined with Unit 42's sampling research, this represents a second major MCP attack surface disclosed in the same week.
Source
↳ Follow the thread