Skip to main content

Java CVE-2026-34237

MEDIUM
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-03-30 https://github.com/modelcontextprotocol/java-sdk GHSA-hv2w-8mjj-jw22
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 30, 2026 - 17:36 vuln.today
CVE Published
Mar 30, 2026 - 17:26 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 33 maven packages depend on io.modelcontextprotocol.sdk:mcp-core (12 direct, 21 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionGitHub Advisory

Summary

Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * )

  • https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289
  • https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525

Attack Scenario

An attacker-controlled web page instructs the victim's browser to open GET https://internal-mcp-server/sse. Because Access-Control-Allow-Origin: * allows cross-origin SSE reads, the attacker's page receives the endpoint event - which contains the session ID. The attacker can then POST to that endpoint from their page using the victim's browser as a relay.

Comparison with python-sdk

No Access-Control-Allow-Origin header is emitted by either Python transport. The browser's default same-origin policy remains in full effect. https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/sse.py https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py

Recommendation

In the SDK, the transport layer should not own CORS policy. Server implementors who need cross-origin access can add a CORS filter at the servlet filter or Spring Security layer.

Resources

  • https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#access-control-allow-origin

AnalysisAI

Hardcoded wildcard CORS headers (Access-Control-Allow-Origin: *) in the Model Context Protocol Java SDK transport layer enable cross-origin session hijacking, allowing attackers to extract session IDs from victim browsers and relay authenticated requests back to internal MCP servers. The vulnerability affects the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes in mcp-core; no public exploit code has been identified, though the attack requires user interaction (victim visiting attacker-controlled page). CVSS 6.1 reflects the combination of network-accessible vector, low attack complexity, and cross-origin impact, though practical exploitation depends on MCP server deployment architecture.

Technical ContextAI

The Model Context Protocol Java SDK implements two HTTP-based server transports for streaming operations: Server-Sent Events (SSE) and a streamable HTTP transport. Both transport providers unconditionally emit Access-Control-Allow-Origin: * response headers, which tells victim browsers that cross-origin JavaScript from any domain may read the response body and headers. Server-Sent Events (SSE) is a unidirectional streaming protocol where the server pushes data to connected clients; the MCP protocol uses SSE endpoints to transmit session initialization data including session IDs. Affected products are identified by Maven coordinates io.modelcontextprotocol.sdk:mcp-core. The root cause is classified as CWE-942 (Permissive Cross-domain Policy), a category that captures overly permissive CORS configurations that violate the browser's same-origin security policy. The Python SDK does not exhibit this flaw because its SSE and HTTP transport implementations do not emit CORS headers at all, relying on browser default same-origin enforcement.

RemediationAI

Patch the Java SDK by removing hardcoded Access-Control-Allow-Origin: * headers from the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes. Implementors should delegate CORS policy to the servlet container or framework layer (e.g., Spring Security, servlet filters) rather than the transport SDK. If a patched version of mcp-core is released, upgrade to that version immediately. As a temporary workaround, server implementors can add a servlet filter or Spring Security configuration that strips or overrides the CORS headers emitted by the transport layer, enforcing the restrictive same-origin policy by default. For deployments requiring genuine cross-origin access, explicitly configure a CORS filter with a allowlist of trusted origins rather than wildcard patterns. Consult the OWASP HTTP Headers Cheat Sheet (https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#access-control-allow-origin) for correct CORS implementation guidance.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-34237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy