Java
CVE-2026-34237
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 33 maven packages depend on io.modelcontextprotocol.sdk:mcp-core (12 direct, 21 indirect)
Ecosystem-wide dependent count for version 1.0.0.
DescriptionGitHub Advisory
Summary
Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * )
- https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289
- https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525
Attack Scenario
An attacker-controlled web page instructs the victim's browser to open GET https://internal-mcp-server/sse. Because Access-Control-Allow-Origin: * allows cross-origin SSE reads, the attacker's page receives the endpoint event - which contains the session ID. The attacker can then POST to that endpoint from their page using the victim's browser as a relay.
Comparison with python-sdk
No Access-Control-Allow-Origin header is emitted by either Python transport. The browser's default same-origin policy remains in full effect. https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/sse.py https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py
Recommendation
In the SDK, the transport layer should not own CORS policy. Server implementors who need cross-origin access can add a CORS filter at the servlet filter or Spring Security layer.
Resources
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#access-control-allow-origin
AnalysisAI
Hardcoded wildcard CORS headers (Access-Control-Allow-Origin: *) in the Model Context Protocol Java SDK transport layer enable cross-origin session hijacking, allowing attackers to extract session IDs from victim browsers and relay authenticated requests back to internal MCP servers. The vulnerability affects the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes in mcp-core; no public exploit code has been identified, though the attack requires user interaction (victim visiting attacker-controlled page). CVSS 6.1 reflects the combination of network-accessible vector, low attack complexity, and cross-origin impact, though practical exploitation depends on MCP server deployment architecture.
Technical ContextAI
The Model Context Protocol Java SDK implements two HTTP-based server transports for streaming operations: Server-Sent Events (SSE) and a streamable HTTP transport. Both transport providers unconditionally emit Access-Control-Allow-Origin: * response headers, which tells victim browsers that cross-origin JavaScript from any domain may read the response body and headers. Server-Sent Events (SSE) is a unidirectional streaming protocol where the server pushes data to connected clients; the MCP protocol uses SSE endpoints to transmit session initialization data including session IDs. Affected products are identified by Maven coordinates io.modelcontextprotocol.sdk:mcp-core. The root cause is classified as CWE-942 (Permissive Cross-domain Policy), a category that captures overly permissive CORS configurations that violate the browser's same-origin security policy. The Python SDK does not exhibit this flaw because its SSE and HTTP transport implementations do not emit CORS headers at all, relying on browser default same-origin enforcement.
RemediationAI
Patch the Java SDK by removing hardcoded Access-Control-Allow-Origin: * headers from the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes. Implementors should delegate CORS policy to the servlet container or framework layer (e.g., Spring Security, servlet filters) rather than the transport SDK. If a patched version of mcp-core is released, upgrade to that version immediately. As a temporary workaround, server implementors can add a servlet filter or Spring Security configuration that strips or overrides the CORS headers emitted by the transport layer, enforcing the restrictive same-origin policy by default. For deployments requiring genuine cross-origin access, explicitly configure a CORS filter with a allowlist of trusted origins rather than wildcard patterns. Consult the OWASP HTTP Headers Cheat Sheet (https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#access-control-allow-origin) for correct CORS implementation guidance.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hv2w-8mjj-jw22