CVE-2026-58196: ToolHive SSRF in remote MCP server authentication discovery
CVE-2026-58196 is verified against github.com/stacklok/toolhive · github affected versions: All ToolHive versions before 0.31.0. The GitHub repo advisory states ToolHive through v0.29.3 and main HEAD b672d82f41e6a919670ee1abe812f831ecb72448 were verified vulnerable before the fix. vulnerability class: SSRF This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00290.
pruva-verify REPRO-2026-00290 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00290/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh ToolHive versions before 0.31.0 are vulnerable to host-side SSRF during remote MCP server authentication discovery. The vulnerable path is the ToolHive host process, not the per-server container sandbox: when a user adds/runs a remote MCP server through the documented remote-server workflow, the host performs RFC 9728 / OAuth discovery requests based on attacker-controlled server responses (including resource_metadata and redirect targets) without the preexisting private-IP/loopback guard and without redirect restrictions. A malicious or compromised remote MCP discovery endpoint can therefore cause the ToolHive host to fetch an attacker-selected internal URL, bypassing the intended container isolation boundary. The fixing diff in v0.31.0 adds redirect policy enforcement and private-IP blocking to the discovery HTTP client path.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support · claim contract · reproduction · judge · variant analysis
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.