Skip to main content

MCP Toolbox CVE-2026-11717

| EUVDEUVD-2026-37879 CRITICAL
Improper Authentication (CWE-287)
2026-06-18 Google GHSA-8fcc-w5hv-4gxv
9.3
CVSS 4.0 · Vendor: Google
Share

Severity by source

Vendor (Google) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Network-reachable MCP endpoint, no auth or user interaction, trivial logic bypass yields full read/write to protected tools and backing databases; availability not directly impacted.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Google).

CVSS VectorVendor: Google

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 12:33 vuln.today
Analysis Generated
Jun 18, 2026 - 12:33 vuln.today

DescriptionCVE.org

An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox.

When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where the Active field is declared as a pointer to a boolean (*bool). The code only explicitly rejects a token if the response contains a populated active field set to false (if introspectResp.Active != nil && !*introspectResp.Active). If an introspection endpoint responds with a payload that completely omits the mandatory active key, the internal variable remains nil, causing the conditional check to short-circuit. As a result, Toolbox accepts authorization tokens missing the "active" field, granting access to protected tools and underlying data sources.

AnalysisAI

Authentication bypass in googleapis/mcp-toolbox lets remote unauthenticated attackers reach protected tools and backing data sources by submitting an OAuth 2.0 introspection response that omits the mandatory 'active' field. Because validateOpaqueToken stores Active as *bool and only rejects when the pointer is non-nil and false, a nil value falls through as authorized. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed MCP Toolbox with generic auth
Delivery
Send Bearer request to protected tool
Exploit
Toolbox calls introspection endpoint
Install
Response omits active field
C2
Nil pointer skips deny check
Execute
Tool invoked, query backend database
Impact
Exfiltrate or modify data

Vulnerability AssessmentAI

Exploitation The toolbox must be configured with `kind: authService`, `type: generic`, `mcpEnabled: true`, and an `introspectionEndpoint` whose responses do not include the RFC 7662 `active` field - Google's `oauth2.googleapis.com/tokeninfo` is the canonical example called out in the PR. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Vendor CVSS 4.0 is 9.3 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N) - network reachable, no privileges, no user interaction, high confidentiality and integrity impact on the MCP Toolbox and its connected databases. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an internet-reachable MCP Toolbox configured with a `type: generic` authService whose introspection endpoint (a misconfigured or attacker-influenced OAuth server, e.g., Google's tokeninfo) returns a JSON body with no `active` member. The attacker sends `Authorization: Bearer <anything>` to a protected MCP tool endpoint; Toolbox forwards the token, parses the active-less response into an introspectResp with Active==nil, skips the rejection branch, and executes the tool against the backend database. …
Remediation Upstream fix available (PR https://github.com/googleapis/mcp-toolbox/pull/3341); released patched version not independently confirmed from the supplied data, so upgrade to the first tagged release that incorporates this PR once published and rebuild/redeploy the toolbox binary. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running googleapis/mcp-toolbox and assess OAuth 2.0 integration scope and criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11717 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy