Skip to main content

Mcp Toolbox For Databases

2 CVEs product

Monthly

CVE-2026-11720 CRITICAL PATCH Act Now

{{.id}} to sensitive endpoints such as /admin/secrets. Carries a CVSS 4.0 base score of 9.3 (critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Mcp Toolbox For Databases
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-11624 CRITICAL PATCH Act Now

Missing Origin/Host header validation in Google's MCP Toolbox for Databases (Model Context Protocol server) prior to v0.25.0 allows remote attackers to reach the locally-bound HTTP server via DNS rebinding from a victim's browser, abusing the bridge to issue arbitrary tool/database commands. The fix introduces a new --allowed-hosts startup flag (companion to the existing --allowed-origins) that validates inbound Host headers, though both flags retain an insecure-by-default '*' value with only a startup warning. No public exploit identified at time of analysis; the issue was reported internally by Google.

Information Disclosure Mcp Toolbox For Databases
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

{{.id}} to sensitive endpoints such as /admin/secrets. Carries a CVSS 4.0 base score of 9.3 (critical); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Mcp Toolbox For Databases
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Missing Origin/Host header validation in Google's MCP Toolbox for Databases (Model Context Protocol server) prior to v0.25.0 allows remote attackers to reach the locally-bound HTTP server via DNS rebinding from a victim's browser, abusing the bridge to issue arbitrary tool/database commands. The fix introduces a new --allowed-hosts startup flag (companion to the existing --allowed-origins) that validates inbound Host headers, though both flags retain an insecure-by-default '*' value with only a startup warning. No public exploit identified at time of analysis; the issue was reported internally by Google.

Information Disclosure Mcp Toolbox For Databases
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy