Description
An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox.

When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != "" && iss != "". If the external OAuth provider's introspection response omits the optional iss (issuer) field completely, the variable iss defaults to an empty string. This causes the conditional block to evaluate to false and be skipped silently. Consequently, the application accepts tokens issued by unauthorized or unintended third-party identity providers.
Published: 2026-06-18
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the validateOpaqueToken path of Google’s MCP Toolbox for Databases. The application calls an OAuth 2.0 introspection endpoint and decodes the response into an introspectResp structure, but the subsequent validateClaims logic enforces issuer checks only when both the configured issuer and the returned iss value are non‑empty. If the introspection response omits the optional iss field, the internal iss variable defaults to an empty string, causing the conditional to evaluate to false and the block to be skipped. As a result, the Toolbox accepts opaque tokens issued by unauthorized or unintended third‑party identity providers, enabling an attacker to authenticate with arbitrary identities. This flaw is a classic authentication bypass (CWE‑287) that can lead to full unauthorized access to the toolbox and its database management interfaces.

Affected Systems

The affected product is Google’s MCP Toolbox for Databases (googleapis/mcp-toolbox). No specific version range is listed, so any build that implements the validateOpaqueToken routine and processes OAuth introspection responses is potentially vulnerable until it incorporates the fix contained in the upstream pull request linking to the revocation logic.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, and although no EPSS score is available, the issue is not listed in the CISA KEV catalog, suggesting it is still unexploited publicly. The attack vector likely requires the attacker to submit a malicious opaque token or a token obtained from an unauthorized provider that deliberately omits the issuer field. If the tooling is exposed to a broad set of users, an attacker who can force the toolbox to introspect a crafted token could bypass authentication and gain full control of database management functions.

Generated by OpenCVE AI on June 18, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MCP Toolbox for Databases to a version that includes the fix from pull request https://github.com/googleapis/mcp-toolbox/pull/3360, which corrects the issuer validation logic.
  • If an upgrade is not yet possible, implement an additional server‑side validation that rejects opaque tokens whose introspection response lacks an identifying issuer; this can be done by checking for a non‑empty iss field before proceeding.
  • Limit the set of accepted OAuth providers by enforcing a whitelist of issuers or by disabling opaque token validation for untrusted third‑party providers until the patch is applied.

Generated by OpenCVE AI on June 18, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wcpr-6g7x-p44r googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)
History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google mcp Toolbox For Databases
Vendors & Products Google
Google mcp Toolbox For Databases

Thu, 18 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass via Opaque Token Validation in MCP Toolbox for Databases

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != "" && iss != "". If the external OAuth provider's introspection response omits the optional iss (issuer) field completely, the variable iss defaults to an empty string. This causes the conditional block to evaluate to false and be skipped silently. Consequently, the application accepts tokens issued by unauthorized or unintended third-party identity providers.
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Subscriptions

Google Mcp Toolbox For Databases
cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-06-18T13:53:14.985Z

Reserved: 2026-06-09T00:49:55.908Z

Link: CVE-2026-11718

cve-icon Vulnrichment

Updated: 2026-06-18T13:01:53.144Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:56:18Z

Weaknesses