Cyber Posture

CVE-2026-39885

HighPublic PoC

Published: 08 April 2026

Published
08 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 13.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39885 is a high-severity SSRF (CWE-918) vulnerability in Agentfront \@Frontmcp\/Adapters. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates untrusted OpenAPI specifications at input interfaces to reject or sanitize malicious $ref pointers, directly preventing SSRF and local file read attacks.

AC-4 Information Flow Enforcement good match
prevent

Enforces information flow control policies that restrict the dereferencing library from accessing internal networks, cloud metadata endpoints, or local files via unauthorized $ref fetches.

SC-7 Boundary Protection good match
preventdetect

Monitors and controls communications at internal boundaries to block or detect SSRF attempts to internal services and unauthorized resource fetches triggered by malicious OpenAPI specs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
attack.mitre.org →
Why these techniques?

The SSRF vulnerability allows remote exploitation of a public-facing application (T1190) by supplying crafted inputs, directly enabling local file reads (T1005) and access to cloud instance metadata endpoints (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref…

more

values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.

Deeper analysisAI

CVE-2026-39885 affects FrontMCP, a TypeScript-first framework for the Model Context Protocol (MCP), specifically in versions prior to 2.3.0. The vulnerability resides in the mcp-from-openapi library, which relies on @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications. Without URL restrictions or custom resolvers, this parser fetches resources referenced by $ref values during the initialize() call. Malicious OpenAPI specifications can point to internal network addresses, cloud metadata endpoints, or local files, enabling server-side request forgery (SSRF) and local file read attacks when processing untrusted inputs. The issue is classified under CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remote attackers require no privileges or user interaction to exploit this vulnerability by supplying a crafted OpenAPI specification to a vulnerable FrontMCP instance. During initialization, the library will attempt to resolve malicious $ref pointers, allowing attackers to force the server to make unauthorized requests to internal networks, access cloud instance metadata services, or read local files. This results in high confidentiality impacts, such as exfiltration of sensitive internal data or metadata that could facilitate further compromise.

The vulnerability is fixed in FrontMCP version 2.3.0. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at GHSA-v6ph-xcq9-qxxj and related release notes.

Details

CWE(s)
CWE-918

Affected Products

agentfront
\@frontmcp\/adapters
≤ 1.0.4
agentfront
\@frontmcp\/sdk
≤ 1.0.4
agentfront
frontmcp
≤ 1.0.4
frontmcp
mcp-from-openapi
≤ 2.3.0

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: model context protocol, mcp, mcp

CVEs Like This One

CVE-2024-8952Shared CWE-918
CVE-2026-7146Shared CWE-918
CVE-2026-7158Shared CWE-918
CVE-2026-7147Shared CWE-918
CVE-2026-32871Shared CWE-918
CVE-2026-5832Shared CWE-918
CVE-2026-7221Shared CWE-918
CVE-2026-7417Shared CWE-918
CVE-2025-0454Shared CWE-918
CVE-2026-27826Shared CWE-918

References