Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/stacklok/toolhive
  4. ›
  5. CVE-2026-58196

CVE-2026-58196: ToolHive: SSRF in remote MCP server authentication discovery (host-side, bypasses container isolation)

July 15, 2026

ToolHive’s remote MCP server authentication discovery issues outbound HTTP requests to URLs the remote MCP server controls, with no private-IP or loopback guard and no restriction on redirects. ToolHive’s core security model treats every MCP server as untrusted: the README states it “runs every MCP server in an isolated container” with “no local credentials,” and it ships an egress proxy for network isolation. This discovery code runs host-side, in the ToolHive process, before and outside that per-server container sandbox. A malicious or compromised remote MCP server, added by a user through ToolHive’s normal remote-server workflow, can therefore drive the ToolHive host itself to fetch arbitrary internal URLs, including cloud instance metadata, which bypasses the isolation ToolHive exists to provide. The user never selects a malicious target; they connect to a server they intend to use, and the attack is carried entirely in that server’s discovery response.

ToolHive already establishes this boundary in code. ValidateRemoteURL (cmd/thv-operator/pkg/validation/url_validation.go:61) rejects internal IPs and known internal hostnames for the configured remote URL, and IsPrivateIP (pkg/networking/utilities.go:105) blocks RFC1918, link-local, 169.254.0.0/16, and loopback for outbound requests. The discovery clients below never call either guard, and the attacker-supplied resource_metadata URL and its redirect target are validated by neither. This is a deviation from the project’s intended behavior, not a configuration choice by the operator.

References

  • github.com/advisories/GHSA-pr64-jmmf-jp54
  • github.com/stacklok/toolhive/security/advisories/GHSA-pr64-jmmf-jp54
  • nvd.nist.gov/vuln/detail/CVE-2026-58196

Code Behaviors & Features

Detect and mitigate CVE-2026-58196 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.31.0

Fixed versions

  • 0.31.0

Solution

Upgrade to version 0.31.0 or above.

Impact 4.7 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Learn more about CVSS

Weakness

  • CWE-918: Server-Side Request Forgery (SSRF)

Source file

go/github.com/stacklok/toolhive/CVE-2026-58196.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 16 Jul 2026 12:19:11 +0000.