Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable MCP endpoint, no auth or user interaction, trivial logic bypass yields full read/write to protected tools and backing databases; availability not directly impacted.
Primary rating from Vendor (Google).
CVSS VectorVendor: Google
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox.
When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where the Active field is declared as a pointer to a boolean (*bool). The code only explicitly rejects a token if the response contains a populated active field set to false (if introspectResp.Active != nil && !*introspectResp.Active). If an introspection endpoint responds with a payload that completely omits the mandatory active key, the internal variable remains nil, causing the conditional check to short-circuit. As a result, Toolbox accepts authorization tokens missing the "active" field, granting access to protected tools and underlying data sources.
AnalysisAI
Authentication bypass in googleapis/mcp-toolbox lets remote unauthenticated attackers reach protected tools and backing data sources by submitting an OAuth 2.0 introspection response that omits the mandatory 'active' field. Because validateOpaqueToken stores Active as *bool and only rejects when the pointer is non-nil and false, a nil value falls through as authorized. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The toolbox must be configured with `kind: authService`, `type: generic`, `mcpEnabled: true`, and an `introspectionEndpoint` whose responses do not include the RFC 7662 `active` field - Google's `oauth2.googleapis.com/tokeninfo` is the canonical example called out in the PR. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Vendor CVSS 4.0 is 9.3 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N) - network reachable, no privileges, no user interaction, high confidentiality and integrity impact on the MCP Toolbox and its connected databases. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers an internet-reachable MCP Toolbox configured with a `type: generic` authService whose introspection endpoint (a misconfigured or attacker-influenced OAuth server, e.g., Google's tokeninfo) returns a JSON body with no `active` member. The attacker sends `Authorization: Bearer <anything>` to a protected MCP tool endpoint; Toolbox forwards the token, parses the active-less response into an introspectResp with Active==nil, skips the rejection branch, and executes the tool against the backend database. … |
| Remediation | Upstream fix available (PR https://github.com/googleapis/mcp-toolbox/pull/3341); released patched version not independently confirmed from the supplied data, so upgrade to the first tagged release that incorporates this PR once published and rebuild/redeploy the toolbox binary. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running googleapis/mcp-toolbox and assess OAuth 2.0 integration scope and criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in googleapis/mcp-toolbox allows remote unauthenticated attackers to gain access by presenting opa
Authorization bypass in Google's MCP Toolbox for Databases (googleapis/mcp-toolbox) allows authenticated low-privilege c
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37879
GHSA-8fcc-w5hv-4gxv