Skip to main content

MCP Toolbox for Databases EUVDEUVD-2026-37881

| CVE-2026-11719 HIGH
Missing Authorization (CWE-862)
2026-06-18 Google GHSA-5gf6-gc35-xjpc
8.6
CVSS 4.0 · Vendor: Google
Share

Severity by source

Vendor (Google) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Remote HTTP exploitation with a valid low-privilege token (PR:L), no user interaction, trivial header manipulation (AC:L); privileged tool execution yields high confidentiality and integrity impact but not availability.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Google).

CVSS VectorVendor: Google

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 12:34 vuln.today
Analysis Generated
Jun 18, 2026 - 12:34 vuln.today

DescriptionCVE.org

An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers.

While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler).

AnalysisAI

Authorization bypass in Google's MCP Toolbox for Databases (googleapis/mcp-toolbox) allows authenticated low-privilege clients to invoke high-privilege tools by selecting a legacy MCP protocol version. The flaw stems from missing scopesRequired enforcement in the 2025-06-18, 2025-03-26, and 2024-11-05 protocol handlers, and is reachable simply by omitting the MCP-Protocol-Version header so the server falls back to the vulnerable 2024-11-05 default. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege MCP bearer token
Delivery
Identify high-privilege tool name and scopes
Exploit
Send tools/call request omitting MCP-Protocol-Version header
Execution
Legacy 2024-11-05 handler skips scopesRequired check
Persist
Privileged database tool executes under attacker control
Impact
Exfiltrate or modify protected data

Vulnerability AssessmentAI

Exploitation Requires (1) a deployment with an MCP-enabled generic auth service (McpEnabled=true) and per-tool scopesRequired configured for privilege separation, and (2) possession of any valid bearer token accepted by that auth service, even one with minimal scopes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N (8.6 High) is credible: exploitation requires only a valid low-privilege token plus the ability to set or omit an HTTP header, with no user interaction and high confidentiality and integrity impact on the data the toolbox can reach. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user (or a compromised partner integration) holding a token scoped only for read tools sends an MCP tool-call request to the toolbox with the MCP-Protocol-Version header omitted or set to 2024-11-05. The server routes the call through the legacy handler that skips scopesRequired enforcement and executes an admin-tier tool such as a privileged SQL execution or schema-mutation tool, exfiltrating or modifying data the caller was never authorized to touch.
Remediation Upgrade to the googleapis/mcp-toolbox release that incorporates PR #3335 (https://github.com/googleapis/mcp-toolbox/pull/3335), which adds the ValidateScopes helper in internal/server/mcp/util/auth.go and invokes it from every protocol handler; upstream fix available (PR/commit), released patched version not independently confirmed from the supplied data, so confirm the tagged version on the project release page before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all deployments of googleapis/mcp-toolbox with MCP protocol versions 2024-11-05, 2025-03-26, or 2025-06-18 installed; audit access logs for unusual protocol version usage or scope escalation attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37881 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy