What is CVE-2026-39885?

CVE-2026-39885 is a high-severity vulnerability in Agentfront Frontmcp, classified under Server-Side Request Forgery (SSRF). CVSS score: 7.5/10. Published 2026-04-08.

How severe is CVE-2026-39885?

High severity. CVSS v3 base score is 7.5 out of 10.

SSRF in Agentfront Frontmcp

CVE-2026-39885

FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.001 (19.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Agentfront Frontmcp — versions < 1.0.4
@Frontmcp Adapters — versions < 1.0.4
@Frontmcp Sdk — versions < 1.0.4
Frontmcp Mcp-from-openapi — versions < 2.3.0

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/agentfront/frontmcp/security/advisories/GHSA-v6ph-xcq9-qxxj (x_refsource_CONFIRM)
https://github.com/agentfront/frontmcp/releases/tag/v1.0.4 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-39885?: CVE-2026-39885 is a high-severity vulnerability in Agentfront Frontmcp, classified under Server-Side Request Forgery (SSRF). CVSS score: 7.5/10. Published 2026-04-08.
How severe is CVE-2026-39885?: High severity. CVSS v3 base score is 7.5 out of 10.