Intel

AIKIDO-2026-317735

rmcp is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)GHSA-c9xm-49cp-xcr9 Published Jul 1, 2026

74

High Risk

This Affects:

RUSTrmcp
0.8.2 - 1.8.0
Fixed in 2.0.0
Are you affected? Scan for Free

TL;DR

The rmcp OAuth client in crates/rmcp/src/transport/auth.rs accepts a server-controlled resource_metadata URL from the WWW-Authenticate header and fetches it without same-origin or private-network validation. An attacker-controlled or compromised MCP server can return a 401 response pointing the client at loopback, RFC 1918, link-local, or cloud metadata endpoints, causing an outbound request from the victim application's network context. This allows server-side request forgery against internal services and cloud metadata endpoints. The fix enforces same-origin resource metadata URLs and blocks loopback, private, link-local, and known cloud metadata hosts.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses the rmcp OAuth client to connect to MCP servers.

Background info

rmcp is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.8.2 - 1.8.0.

How to fix this

Upgrade the rmcp library to the patch version.