Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable auth bypass with no privileges or user interaction; full read/write access to protected MCP operations gives C:H/I:H, while availability is unaffected.
Primary rating from Vendor (Google).
CVSS VectorVendor: Google
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox.
When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != "" && iss != "". If the external OAuth provider's introspection response omits the optional iss (issuer) field completely, the variable iss defaults to an empty string. This causes the conditional block to evaluate to false and be skipped silently. Consequently, the application accepts tokens issued by unauthorized or unintended third-party identity providers.
AnalysisAI
Authentication bypass in googleapis/mcp-toolbox allows remote unauthenticated attackers to gain access by presenting opaque OAuth tokens issued by unauthorized identity providers. The flaw lives in validateOpaqueToken's claim-checking logic, which silently skips issuer validation when an OAuth 2.0 introspection response omits the optional iss field. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target MCP Toolbox deployment be configured to use the generic OAuth auth provider with opaque-token validation against an RFC 7662 introspection endpoint, and that the introspection response for an attacker-controlled token omits the optional 'iss' field - under those conditions, no authentication or user interaction is needed (CVSS PR:N/UI:N) and the attacker only needs network reach to the toolbox's authenticated endpoints. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) and 9.3 base score correctly reflect that exploitation requires only network reach to the toolbox's authenticated endpoints plus a token from any cooperating OAuth introspection endpoint that does not return an iss claim - no privileges, no user interaction, low complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or can use an OAuth provider whose RFC 7662 introspection response omits the optional 'iss' field obtains an opaque token for their own tenant, then presents that token to a target MCP Toolbox instance configured to accept opaque tokens. The toolbox calls the legitimate (but permissive) introspection endpoint, sees active:true with no issuer, and validateClaims silently skips the issuer comparison - the request is authorized and the attacker can invoke MCP tools against the backend databases. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - operators should track googleapis/mcp-toolbox PR #3360 (https://github.com/googleapis/mcp-toolbox/pull/3360) and upgrade to the first tagged release that includes its commits, which adds an explicit 'missing issuer in token validation' rejection in validateClaims and a fail-closed check in discoverOIDCConfig. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all production and non-production systems using googleapis/mcp-toolbox; determine exposure scope and systems protected by vulnerable token validation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in googleapis/mcp-toolbox lets remote unauthenticated attackers reach protected tools and backing
Authorization bypass in Google's MCP Toolbox for Databases (googleapis/mcp-toolbox) allows authenticated low-privilege c
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37880
GHSA-wcpr-6g7x-p44r