Skip to content
Verified reproduction

CVE-2026-58196: ToolHive SSRF in remote MCP server authentication discovery

CVE-2026-58196 is verified against github.com/stacklok/toolhive · github affected versions: All ToolHive versions before 0.31.0. The GitHub repo advisory states ToolHive through v0.29.3 and main HEAD b672d82f41e6a919670ee1abe812f831ecb72448 were verified vulnerable before the fix. vulnerability class: SSRF This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00290.

REPRO-2026-00290 github.com/stacklok/toolhive · github SSRF Variant found Known vulnerability Jul 16, 2026 CVE entry .txt
Severity MEDIUM
Confidence HIGH
Reproduced in 43m 47s
Tool calls 210
Spend $12.99
Affected All ToolHive versions before 0.31.0. The GitHub repo advisory states ToolHive through v0.29.3 and main HEAD b672d82f41e6a919670ee1abe812f831ecb72448 were verified vulnerable before the fix.
$ pruva-verify REPRO-2026-00290
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00290/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

ToolHive versions before 0.31.0 are vulnerable to host-side SSRF during remote MCP server authentication discovery. The vulnerable path is the ToolHive host process, not the per-server container sandbox: when a user adds/runs a remote MCP server through the documented remote-server workflow, the host performs RFC 9728 / OAuth discovery requests based on attacker-controlled server responses (including resource_metadata and redirect targets) without the preexisting private-IP/loopback guard and without redirect restrictions. A malicious or compromised remote MCP discovery endpoint can therefore cause the ToolHive host to fetch an attacker-selected internal URL, bypassing the intended container isolation boundary. The fixing diff in v0.31.0 adds redirect policy enforcement and private-IP blocking to the discovery HTTP client path.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support · claim contract · reproduction · judge · variant analysis

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/vuln_variant/root_cause_equivalence.json1.9 KB
bundle/repro/reproduction_steps.sh17.2 KB
bundle/repro/runtime_manifest.json1.3 KB
bundle/repro/validation_verdict.json0.7 KB
bundle/repro/rca_report.md7.4 KB
bundle/logs/reproduction_steps.log1.5 KB
bundle/logs/toolhive_vulnerable_attempt1.log23.0 KB
bundle/logs/malicious_server_vulnerable_attempt1.log2.4 KB
bundle/logs/canary_vulnerable_attempt1.log0.5 KB
bundle/logs/canary_fixed_attempt1.log0.0 KB
bundle/artifacts/toolhive-ssrf/attempts.jsonl2.3 KB
bundle/logs/toolhive_vulnerable_attempt2.log23.0 KB
bundle/logs/toolhive_fixed_attempt1.log22.9 KB
bundle/logs/toolhive_fixed_attempt2.log22.9 KB
bundle/logs/malicious_server_vulnerable_attempt2.log2.4 KB
bundle/logs/malicious_server_fixed_attempt1.log2.4 KB
bundle/logs/malicious_server_fixed_attempt2.log2.4 KB
bundle/logs/canary_vulnerable_attempt2.log0.5 KB
bundle/logs/canary_fixed_attempt2.log0.0 KB
bundle/vuln_variant/reproduction_steps.sh11.4 KB
bundle/vuln_variant/variant_lab_servers.py8.4 KB
bundle/vuln_variant/rca_report.md10.3 KB
bundle/vuln_variant/patch_analysis.md8.4 KB
bundle/vuln_variant/variant_manifest.json3.4 KB
bundle/vuln_variant/validation_verdict.json2.6 KB
bundle/vuln_variant/source_identity.json1.5 KB
bundle/vuln_variant/runtime_manifest.json1.5 KB
bundle/logs/vuln_variant/reproduction_steps.log1.1 KB
bundle/logs/vuln_variant/variant_attempts.jsonl2.5 KB
bundle/logs/vuln_variant/fixed_auth.log2.0 KB
bundle/logs/vuln_variant/fixed_canary.log0.5 KB
bundle/logs/vuln_variant/latest_canary.log0.5 KB
bundle/logs/vuln_variant/source_revisions.txt1.1 KB
bundle/logs/vuln_variant/vulnerable_thv.log22.8 KB
bundle/logs/vuln_variant/fixed_thv.log22.4 KB
bundle/logs/vuln_variant/latest_thv.log22.6 KB
bundle/logs/vuln_variant/vulnerable_auth.log2.0 KB
bundle/logs/vuln_variant/latest_auth.log2.0 KB
bundle/logs/vuln_variant/vulnerable_canary.log0.5 KB
bundle/logs/vuln_variant/vulnerable_version.txt0.2 KB
bundle/logs/vuln_variant/fixed_version.txt0.2 KB
bundle/logs/vuln_variant/latest_version.txt0.1 KB