Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote HTTP exploitation with a valid low-privilege token (PR:L), no user interaction, trivial header manipulation (AC:L); privileged tool execution yields high confidentiality and integrity impact but not availability.
Primary rating from Vendor (Google).
CVSS VectorVendor: Google
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers.
While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler).
AnalysisAI
Authorization bypass in Google's MCP Toolbox for Databases (googleapis/mcp-toolbox) allows authenticated low-privilege clients to invoke high-privilege tools by selecting a legacy MCP protocol version. The flaw stems from missing scopesRequired enforcement in the 2025-06-18, 2025-03-26, and 2024-11-05 protocol handlers, and is reachable simply by omitting the MCP-Protocol-Version header so the server falls back to the vulnerable 2024-11-05 default. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) a deployment with an MCP-enabled generic auth service (McpEnabled=true) and per-tool scopesRequired configured for privilege separation, and (2) possession of any valid bearer token accepted by that auth service, even one with minimal scopes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N (8.6 High) is credible: exploitation requires only a valid low-privilege token plus the ability to set or omit an HTTP header, with no user interaction and high confidentiality and integrity impact on the data the toolbox can reach. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user (or a compromised partner integration) holding a token scoped only for read tools sends an MCP tool-call request to the toolbox with the MCP-Protocol-Version header omitted or set to 2024-11-05. The server routes the call through the legacy handler that skips scopesRequired enforcement and executes an admin-tier tool such as a privileged SQL execution or schema-mutation tool, exfiltrating or modifying data the caller was never authorized to touch. |
| Remediation | Upgrade to the googleapis/mcp-toolbox release that incorporates PR #3335 (https://github.com/googleapis/mcp-toolbox/pull/3335), which adds the ValidateScopes helper in internal/server/mcp/util/auth.go and invokes it from every protocol handler; upstream fix available (PR/commit), released patched version not independently confirmed from the supplied data, so confirm the tagged version on the project release page before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all deployments of googleapis/mcp-toolbox with MCP protocol versions 2024-11-05, 2025-03-26, or 2025-06-18 installed; audit access logs for unusual protocol version usage or scope escalation attempts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in googleapis/mcp-toolbox allows remote unauthenticated attackers to gain access by presenting opa
Authentication bypass in googleapis/mcp-toolbox lets remote unauthenticated attackers reach protected tools and backing
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37881
GHSA-5gf6-gc35-xjpc