Authenticated SSRF

Authenticated SSRF is a form of server-side request forgery where the dangerous part is not only that a server can be tricked into making an HTTP request. The more important issue is that the request is made with the server's own trust advantages attached. Those advantages may include API keys, bearer tokens, session cookies, mutual TLS identity, internal network reachability, or backend authorization rules that treat the caller as a trusted service.

That distinction matters because ordinary SSRF and authenticated SSRF do not have the same blast radius. A basic SSRF issue might allow reachability to an internal metadata service, admin panel, or backend API. An authenticated SSRF issue can go further by preserving the exact credentials and service identity that the intermediary already holds. In practical terms, the attacker is not only steering traffic. They are steering a credentialed intermediary.

This concept is especially important in Model Context Protocol deployments and other agent tool layers. An MCP server may expose a clean, narrow tool interface to the model while internally constructing requests to privileged backend APIs. If model-controlled arguments can alter the final request path, query, host, or method, the issue is no longer just bad URL handling. It becomes a prompt-to-sink problem where low-trust model influence reaches a backend sink through a trusted connector.

The June 2026 FastMCP OpenAPI provider advisory is a useful example. A path parameter inserted into a URL template without proper encoding could be resolved by urljoin() into an unintended backend path. Because the provider sent the request with configured authorization headers, the resulting request was not merely server-side browsing. It was authenticated SSRF into privileged internal API space.

For auditors, this term sharpens the review process. The question is not only whether a tool can reach internal endpoints. The question is whether the tool can do so while preserving credentials or trust assumptions that the model itself should never directly control. That means reviewing final URL construction, destination policy after normalization, attached identity, per-endpoint credential scoping, and whether logs capture the real backend action rather than only the nominal tool invocation.

Authenticated SSRF becomes even more serious in coding agents, long-lived agents, and Agentic DeFi systems. In those environments, internal APIs often shape deployments, approvals, routing, treasury policy, or operational decisions. A forged request carrying valid service credentials may therefore influence code, data, or money without ever touching a shell or private key directly.