Description
The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations.
Published: 2026-06-13
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Model Context Protocol (MCP) did not validate the Origin header on incoming connections before version 0.25.0, which creates a risk of DNS rebinding attacks. In a DNS rebinding scenario, a malicious site can alternate DNS responses to trick the MCP server into thinking requests come from a trusted origin, thereby bypassing same‑origin restrictions. This flaw is categorized as CWE‑346, representing improper origin validation. The absence of host verification may allow attackers to connect to the server from untrusted domains and potentially exfiltrate data or perform unauthorized operations.

Affected Systems

All installations of Google MCP Toolbox for Databases that are older than v0.25.0 are affected. The vulnerability arises because the tool defaults to allowing all origins and hosts until the user explicitly configures restrictions via the --allowed-hosts or --allowed-origins flags. The new flags were only introduced in the v0.25.0 release, making all earlier releases susceptible to this issue.

Risk and Exploitability

The CVSS score of 9.4 indicates a high severity, reflecting a high impact and high exploitation likelihood via the network. No EPSS score is available, which means the historical exploitation probability is unknown, but the lack of validation combined with the default wildcard configuration makes exploitation straightforward for remote attackers who can direct traffic to the MCP server. The vulnerability is not listed in the CISA KEV catalog, implying no publicly available exploit remains in circulation, yet the inherent weakness still poses a serious risk for environments that rely on the MCP server to enforce origin constraints.

Generated by OpenCVE AI on June 13, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MCP Toolbox for Databases to version 0.25.0 or newer.
  • Configure the --allowed-hosts and --allowed-origins flags to specify trusted hosts and origins instead of the default '*'; be sure to restart the server after changes.
  • Restrict network access to the MCP server using firewall rules or reverse proxy to only allow connections from trusted IP addresses or internal networks.

Generated by OpenCVE AI on June 13, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Title Model Context Protocol Allows DNS Rebinding Due to Origin Header Validation Failure

Sat, 13 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google mcp Toolbox For Databases
Vendors & Products Google
Google mcp Toolbox For Databases

Sat, 13 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
Description The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations.
Weaknesses CWE-346
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Google Mcp Toolbox For Databases
cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-06-13T08:38:42.908Z

Reserved: 2026-06-08T20:57:51.543Z

Link: CVE-2026-11624

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-13T10:16:17.700

Modified: 2026-06-13T10:16:17.700

Link: CVE-2026-11624

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T11:00:07Z

Weaknesses