Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable via browser rebinding (AV:N), timing/DNS coordination raises AC:H, no toolbox auth (PR:N), victim must load attacker page (UI:R), and rebinding crosses browser→server authority (S:C) to fully compromise the proxied database.
Primary rating from Vendor (Google).
CVSS VectorVendor: Google
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations.
AnalysisAI
Missing Origin/Host header validation in Google's MCP Toolbox for Databases (Model Context Protocol server) prior to v0.25.0 allows remote attackers to reach the locally-bound HTTP server via DNS rebinding from a victim's browser, abusing the bridge to issue arbitrary tool/database commands. The fix introduces a new --allowed-hosts startup flag (companion to the existing --allowed-origins) that validates inbound Host headers, though both flags retain an insecure-by-default '*' value with only a startup warning. No public exploit identified at time of analysis; the issue was reported internally by Google.
Technical ContextAI
The Model Context Protocol (MCP) is the JSON-RPC-style protocol used by AI agents to invoke tools and data sources; Google's MCP Toolbox for Databases is a Go-based reference server (cpe:2.3:a:google:mcp_toolbox_for_databases) that exposes database tooling to MCP clients, typically over HTTP bound to localhost/127.0.0.1. CWE-346 (Origin Validation Error) is the root class: before v0.25.0 the server inspected only the Origin header (via --allowed-origins) and never validated the Host header, so a victim's browser tricked by a DNS-rebinding page could resolve an attacker domain to 127.0.0.1 and submit cross-origin requests that the toolbox accepted. The PR diff in googleapis/mcp-toolbox#2254 adds an AllowedHosts slice in cmd/root.go and updates the deploy_docker/deploy_gke/deploy_toolbox docs to instruct operators to pass --allowed-hosts=<expected-host>; a TODO comment in the patch explicitly flags the default '*' as 'Insecure by default. Might consider updating this for v1.0.0.'
RemediationAI
Upstream fix available via PR googleapis/mcp-toolbox#2254 merged into the v0.25.0 release; upgrade to v0.25.0 or later and, critically, set --allowed-hosts to the exact host(s) clients should use (e.g. --allowed-hosts=localhost:5000 for local use, or --allowed-hosts=$HOST for Cloud Run as shown in docs/en/how-to/deploy_toolbox.md) because the flag still defaults to the insecure '*' value and only emits a startup warning. Keep --allowed-origins similarly scoped to expected client origins rather than '*'. If immediate upgrade is not possible, compensating controls are to bind the server to a non-loopback interface behind a reverse proxy that enforces Host header validation, or to block outbound DNS resolution to RFC1918/loopback addresses from operator browsers (trade-off: breaks legitimate local development tools); restricting toolbox processes to dedicated sandboxed users limits the blast radius into the backend database when rebinding succeeds. See https://github.com/googleapis/mcp-toolbox/issues/3113 and https://github.com/googleapis/mcp-toolbox/pull/2254 for authoritative guidance.
More in Mcp Toolbox For Databases
View allSame weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36650
GHSA-76g7-m3xw-x9gr