Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: * header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.
AnalysisAI
Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditionally emitting an Access-Control-Allow-Origin: * header, which overrides the allowed-origins/allowed-hosts controls added during beta and opens the endpoint to DNS rebinding. Any deployment using the SSE transport under MCP specification v2024-11-05 is affected, letting a remote attacker who lures a victim to a malicious web page read the victim's Toolbox/database tool responses cross-origin. Rated CVSS 4.0 9.4 with an upstream fix merged in PR #3054; no public exploit has been identified and the issue is not on CISA KEV.
Technical ContextAI
MCP Toolbox for Databases is Google's open-source server (Go, repo googleapis/mcp-toolbox) that exposes database tools to LLM agents over the Model Context Protocol. One legacy MCP transport is Server-Sent Events (SSE), defined in MCP spec revision v2024-11-05, where a client opens a long-lived HTTP stream (e.g. /mcp/sse) to receive events. The root cause is CWE-942 (Permissive Cross-domain Policy with Untrusted Domains): the diff in internal/server/mcp.go shows the SSE handler hardcoded w.Header().Set("Access-Control-Allow-Origin", "*"), instructing browsers to permit any web origin to read the response. This wildcard CORS policy nullifies the Origin/Host allow-list that was supposed to enforce MCP's security guidance, and combined with the absence of effective Host validation it enables DNS rebinding, where an attacker re-binds a domain the browser already trusts to the loopback/internal address where Toolbox listens.
RemediationAI
Upgrade to a Toolbox release that includes the fix from PR #3054 (https://github.com/googleapis/mcp-toolbox/pull/3054), which removes the hardcoded wildcard CORS header from the SSE handler so the allowed-origins and allowed-hosts flags are actually enforced; this is an upstream fix available as a merged PR, and a tagged patched release version is not independently confirmed from the provided data, so check the repository releases for the version incorporating it (tracking issue https://github.com/googleapis/mcp-toolbox/issues/3053). Until you can upgrade, the most effective compensating control is to stop using the deprecated SSE transport and switch to the streamable-HTTP MCP transport, since the bug is specific to the SSE initialization handler (trade-off: clients pinned to spec v2024-11-05/SSE must be reconfigured). If SSE must remain, place Toolbox behind a reverse proxy or local firewall that strips/overrides the wildcard CORS header and validates the Host and Origin headers against an explicit allow-list, and bind the listener to loopback or a trusted internal interface only (trade-off: breaks any legitimately remote SSE clients); explicitly setting allowed-origins/allowed-hosts is recommended as defense-in-depth but does NOT fully mitigate on its own because the hardcoded header overrode those flags on the SSE init path in vulnerable builds.
More in Cors Misconfiguration
View allCasdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th
Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut
memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel
SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9
A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical
Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to
Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint
Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, c
Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.
A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32672
GHSA-7pf3-8xx7-rvhf