Description
An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox.

When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where the Active field is declared as a pointer to a boolean (*bool). The code only explicitly rejects a token if the response contains a populated active field set to false (if introspectResp.Active != nil && !*introspectResp.Active). If an introspection endpoint responds with a payload that completely omits the mandatory active key, the internal variable remains nil, causing the conditional check to short-circuit. As a result, Toolbox accepts authorization tokens missing the "active" field, granting access to protected tools and underlying data sources.
Published: 2026-06-18
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an oversight in the unparsed opaque token validation path. The validateOpaqueToken function interprets the active field from the OAuth 2.0 introspection response as a pointer to a boolean. The code only rejects a token when the response explicitly contains an active field set to false; if the active key is omitted, the pointer remains nil and the check short‑circuits. Consequently, the toolbox accepts tokens that lack the required active claim, enabling an attacker to use any such token to gain access to protected tools and data.

Affected Systems

Affected systems are implementations of Google MCP Toolbox for Databases (googleapis/mcp-toolbox). The issue applies to any deployment that uses the validateOpaqueToken path to authenticate users through an OAuth 2.0 introspection endpoint as defined in RFC 7662. The specific version ranges affected are not detailed, so all current releases prior to the fix should be considered vulnerable unless explicitly updated.

Risk and Exploitability

The CVSS base score of 9.3 indicates critical severity, with the potential for remote attackers to compromise sensitive data. The EPSS score is unavailable but the vulnerability has not been listed in the CISA KEV catalog. The attack requires access to an introspection endpoint that may return a response missing the active field, which could be manipulated by a malicious or compromised OAuth provider. The flaw is exploitable over the network and does not necessitate privileged local access, implying a high likelihood of exploitation in environments where such introspection endpoints are reachable from the internet or compromised.

Generated by OpenCVE AI on June 18, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of MCP Toolbox that includes the patch from pull request 3341, which validates the presence of the active field before accepting a token.
  • If an upgrade is not immediately possible, update the introspection endpoint configuration to enforce inclusion of the mandatory active key in all responses, or reject any token when the active field is missing.
  • Consider temporarily disabling the validateOpaqueToken path or enforcing client‑side token validation wherever feasible as a short‑term workaround.
  • Perform a security review of all OAuth 2.0 introspection endpoints to ensure compliance with RFC 7662 and to detect any malicious or misconfigured responses.

Generated by OpenCVE AI on June 18, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8fcc-w5hv-4gxv googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)
History

Thu, 18 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in MCP Toolbox's Opaque Token Validation

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where the Active field is declared as a pointer to a boolean (*bool). The code only explicitly rejects a token if the response contains a populated active field set to false (if introspectResp.Active != nil && !*introspectResp.Active). If an introspection endpoint responds with a payload that completely omits the mandatory active key, the internal variable remains nil, causing the conditional check to short-circuit. As a result, Toolbox accepts authorization tokens missing the "active" field, granting access to protected tools and underlying data sources.
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-06-18T12:23:15.209Z

Reserved: 2026-06-09T00:41:54.835Z

Link: CVE-2026-11717

cve-icon Vulnrichment

Updated: 2026-06-18T12:23:07.609Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:00:11Z

Weaknesses