Skip to main content

Mcp Toolbox For Databases Googleapis Mcp Toolbox

3 CVEs product

Monthly

CVE-2026-11719 Go HIGH PATCH GHSA This Week

Authorization bypass in Google's MCP Toolbox for Databases (googleapis/mcp-toolbox) allows authenticated low-privilege clients to invoke high-privilege tools by selecting a legacy MCP protocol version. The flaw stems from missing scopesRequired enforcement in the 2025-06-18, 2025-03-26, and 2024-11-05 protocol handlers, and is reachable simply by omitting the MCP-Protocol-Version header so the server falls back to the vulnerable 2024-11-05 default. No public exploit identified at time of analysis, but the upstream fix (PR #3335) confirms the issue and its trivial triggering condition.

Authentication Bypass Mcp Toolbox For Databases Googleapis Mcp Toolbox
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.1%
CVE-2026-11718 Go CRITICAL PATCH GHSA Act Now

Authentication bypass in googleapis/mcp-toolbox allows remote unauthenticated attackers to gain access by presenting opaque OAuth tokens issued by unauthorized identity providers. The flaw lives in validateOpaqueToken's claim-checking logic, which silently skips issuer validation when an OAuth 2.0 introspection response omits the optional iss field. No public exploit identified at time of analysis, but the upstream fix in PR #3360 confirms the defect and CVSS 4.0 scores it 9.3 (Critical).

Authentication Bypass Mcp Toolbox For Databases Googleapis Mcp Toolbox
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-11717 Go CRITICAL PATCH GHSA Act Now

Authentication bypass in googleapis/mcp-toolbox lets remote unauthenticated attackers reach protected tools and backing data sources by submitting an OAuth 2.0 introspection response that omits the mandatory 'active' field. Because validateOpaqueToken stores Active as *bool and only rejects when the pointer is non-nil and false, a nil value falls through as authorized. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 and trivial logic flaw make this a priority fix.

Authentication Bypass Mcp Toolbox For Databases Googleapis Mcp Toolbox
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.2%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authorization bypass in Google's MCP Toolbox for Databases (googleapis/mcp-toolbox) allows authenticated low-privilege clients to invoke high-privilege tools by selecting a legacy MCP protocol version. The flaw stems from missing scopesRequired enforcement in the 2025-06-18, 2025-03-26, and 2024-11-05 protocol handlers, and is reachable simply by omitting the MCP-Protocol-Version header so the server falls back to the vulnerable 2024-11-05 default. No public exploit identified at time of analysis, but the upstream fix (PR #3335) confirms the issue and its trivial triggering condition.

Authentication Bypass Mcp Toolbox For Databases Googleapis Mcp Toolbox
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in googleapis/mcp-toolbox allows remote unauthenticated attackers to gain access by presenting opaque OAuth tokens issued by unauthorized identity providers. The flaw lives in validateOpaqueToken's claim-checking logic, which silently skips issuer validation when an OAuth 2.0 introspection response omits the optional iss field. No public exploit identified at time of analysis, but the upstream fix in PR #3360 confirms the defect and CVSS 4.0 scores it 9.3 (Critical).

Authentication Bypass Mcp Toolbox For Databases Googleapis Mcp Toolbox
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in googleapis/mcp-toolbox lets remote unauthenticated attackers reach protected tools and backing data sources by submitting an OAuth 2.0 introspection response that omits the mandatory 'active' field. Because validateOpaqueToken stores Active as *bool and only rejects when the pointer is non-nil and false, a nil value falls through as authorized. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 and trivial logic flaw make this a priority fix.

Authentication Bypass Mcp Toolbox For Databases Googleapis Mcp Toolbox
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy