Skip to main content

MCP Toolbox CVE-2026-9739

| EUVDEUVD-2026-32672 CRITICAL
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-05-27 Google GHSA-7pf3-8xx7-rvhf
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 28, 2026 - 00:51 vuln.today
Analysis Generated
May 28, 2026 - 00:51 vuln.today
CVSS changed
May 27, 2026 - 23:22 NVD
9.4 (CRITICAL)
CVE Published
May 27, 2026 - 21:38 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: * header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.

AnalysisAI

Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditionally emitting an Access-Control-Allow-Origin: * header, which overrides the allowed-origins/allowed-hosts controls added during beta and opens the endpoint to DNS rebinding. Any deployment using the SSE transport under MCP specification v2024-11-05 is affected, letting a remote attacker who lures a victim to a malicious web page read the victim's Toolbox/database tool responses cross-origin. Rated CVSS 4.0 9.4 with an upstream fix merged in PR #3054; no public exploit has been identified and the issue is not on CISA KEV.

Technical ContextAI

MCP Toolbox for Databases is Google's open-source server (Go, repo googleapis/mcp-toolbox) that exposes database tools to LLM agents over the Model Context Protocol. One legacy MCP transport is Server-Sent Events (SSE), defined in MCP spec revision v2024-11-05, where a client opens a long-lived HTTP stream (e.g. /mcp/sse) to receive events. The root cause is CWE-942 (Permissive Cross-domain Policy with Untrusted Domains): the diff in internal/server/mcp.go shows the SSE handler hardcoded w.Header().Set("Access-Control-Allow-Origin", "*"), instructing browsers to permit any web origin to read the response. This wildcard CORS policy nullifies the Origin/Host allow-list that was supposed to enforce MCP's security guidance, and combined with the absence of effective Host validation it enables DNS rebinding, where an attacker re-binds a domain the browser already trusts to the loopback/internal address where Toolbox listens.

RemediationAI

Upgrade to a Toolbox release that includes the fix from PR #3054 (https://github.com/googleapis/mcp-toolbox/pull/3054), which removes the hardcoded wildcard CORS header from the SSE handler so the allowed-origins and allowed-hosts flags are actually enforced; this is an upstream fix available as a merged PR, and a tagged patched release version is not independently confirmed from the provided data, so check the repository releases for the version incorporating it (tracking issue https://github.com/googleapis/mcp-toolbox/issues/3053). Until you can upgrade, the most effective compensating control is to stop using the deprecated SSE transport and switch to the streamable-HTTP MCP transport, since the bug is specific to the SSE initialization handler (trade-off: clients pinned to spec v2024-11-05/SSE must be reconfigured). If SSE must remain, place Toolbox behind a reverse proxy or local firewall that strips/overrides the wildcard CORS header and validates the Host and Origin headers against an explicit allow-list, and bind the listener to loopback or a trusted internal interface only (trade-off: breaks any legitimately remote SSE clients); explicitly setting allowed-origins/allowed-hosts is recommended as defense-in-depth but does NOT fully mitigate on its own because the hardcoded header overrode those flags on the SSE init path in vulnerable builds.

CVE-2024-41657 HIGH POC
8.8 Aug 20

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.

CVE-2021-34435 HIGH POC
8.8 Sep 01

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside th

CVE-2025-30354 HIGH POC
8.7 Apr 01

Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut

CVE-2024-41659 HIGH POC
8.1 Aug 20

memos is a privacy-first, lightweight note-taking service. Rated high severity (CVSS 8.1), this vulnerability is remotel

CVE-2024-37131 CRITICAL
9.8 Jun 13

SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. Rated

CVE-2022-26969 CRITICAL
9.8 Dec 26

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9

CVE-2022-31736 CRITICAL
9.8 Dec 22

A malicious website could have learned the size of a cross-origin resource that supported Range requests. Rated critical

CVE-2026-34449 CRITICAL
9.6 Mar 31

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to

CVE-2026-6662 MEDIUM POC
5.5 Apr 20

Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint

CVE-2026-61736 CRITICAL
9.3 Jul 15

Cross-origin data theft in LightRAG server versions prior to 1.5.4 allows any malicious website to make authenticated, c

CVE-2026-8948 CRITICAL
9.1 May 19

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

CVE-2023-25603 CRITICAL
9.1 Nov 14

A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.

Share

CVE-2026-9739 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy