auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs
- Severity:
- High
Description
No description available.
Recommendation
Update the auth-fetch-mcp package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.0.0
- Patched version(s): 3.0.1
References
Related Issues
- PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled - Vulnerability
- SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl - CVE-2026-46372
- engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt i - Vulnerability
- Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection - Vulnerability
You might also like:
- Tags:
- npm
- auth-fetch-mcp
Anything's wrong? Let us know Last updated on May 19, 2026


