GHSA-hv85-774v-26fg: auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs
Summary
The `download_media` and `auth_fetch` tools in auth-fetch-mcp accept any URL without validation, allowing an attacker (via prompt injection or a malicious MCP client) to make the server fetch from private or internal services like cloud metadata endpoints or localhost, and then exfiltrate the response data. The `download_media` tool makes this worse by saving fetched content to disk where it can be read and stolen.
Solution / Mitigation
The source text describes the fix shape but does not provide an explicit implementation or version update: 'after URL parsing, resolve to IP, reject if private/loopback/link-local. Same defense as the well-known SSRF-guard pattern shipped by other MCP fetchers in the ecosystem (e.g., `Akitaroh/scraper-mcp` `src/security/url-guard.ts`).' However, no patched version, release number, or completed code fix is provided in the source.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-hv85-774v-26fg
First tracked: May 19, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%