Skip to main content

MCP Toolbox CVE-2026-11718

| EUVDEUVD-2026-37880 CRITICAL
Improper Authentication (CWE-287)
2026-06-18 Google GHSA-wcpr-6g7x-p44r
9.3
CVSS 4.0 · Vendor: Google
Share

Severity by source

Vendor (Google) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Network-reachable auth bypass with no privileges or user interaction; full read/write access to protected MCP operations gives C:H/I:H, while availability is unaffected.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Google).

CVSS VectorVendor: Google

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 12:33 vuln.today
Analysis Generated
Jun 18, 2026 - 12:33 vuln.today

DescriptionCVE.org

An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox.

When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != "" && iss != "". If the external OAuth provider's introspection response omits the optional iss (issuer) field completely, the variable iss defaults to an empty string. This causes the conditional block to evaluate to false and be skipped silently. Consequently, the application accepts tokens issued by unauthorized or unintended third-party identity providers.

AnalysisAI

Authentication bypass in googleapis/mcp-toolbox allows remote unauthenticated attackers to gain access by presenting opaque OAuth tokens issued by unauthorized identity providers. The flaw lives in validateOpaqueToken's claim-checking logic, which silently skips issuer validation when an OAuth 2.0 introspection response omits the optional iss field. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed MCP Toolbox endpoint
Delivery
Obtain opaque token from cooperating IdP
Exploit
Send introspection-validated request without iss claim
Execution
Bypass silently skipped issuer check
Impact
Invoke MCP tools against backend databases

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target MCP Toolbox deployment be configured to use the generic OAuth auth provider with opaque-token validation against an RFC 7662 introspection endpoint, and that the introspection response for an attacker-controlled token omits the optional 'iss' field - under those conditions, no authentication or user interaction is needed (CVSS PR:N/UI:N) and the attacker only needs network reach to the toolbox's authenticated endpoints. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) and 9.3 base score correctly reflect that exploitation requires only network reach to the toolbox's authenticated endpoints plus a token from any cooperating OAuth introspection endpoint that does not return an iss claim - no privileges, no user interaction, low complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or can use an OAuth provider whose RFC 7662 introspection response omits the optional 'iss' field obtains an opaque token for their own tenant, then presents that token to a target MCP Toolbox instance configured to accept opaque tokens. The toolbox calls the legitimate (but permissive) introspection endpoint, sees active:true with no issuer, and validateClaims silently skips the issuer comparison - the request is authorized and the attacker can invoke MCP tools against the backend databases. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - operators should track googleapis/mcp-toolbox PR #3360 (https://github.com/googleapis/mcp-toolbox/pull/3360) and upgrade to the first tagged release that includes its commits, which adds an explicit 'missing issuer in token validation' rejection in validateClaims and a fail-closed check in discoverOIDCConfig. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all production and non-production systems using googleapis/mcp-toolbox; determine exposure scope and systems protected by vulnerable token validation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11718 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy