Impact
The vulnerability resides in the validateOpaqueToken path of Google’s MCP Toolbox for Databases. The application calls an OAuth 2.0 introspection endpoint and decodes the response into an introspectResp structure, but the subsequent validateClaims logic enforces issuer checks only when both the configured issuer and the returned iss value are non‑empty. If the introspection response omits the optional iss field, the internal iss variable defaults to an empty string, causing the conditional to evaluate to false and the block to be skipped. As a result, the Toolbox accepts opaque tokens issued by unauthorized or unintended third‑party identity providers, enabling an attacker to authenticate with arbitrary identities. This flaw is a classic authentication bypass (CWE‑287) that can lead to full unauthorized access to the toolbox and its database management interfaces.
Affected Systems
The affected product is Google’s MCP Toolbox for Databases (googleapis/mcp-toolbox). No specific version range is listed, so any build that implements the validateOpaqueToken routine and processes OAuth introspection responses is potentially vulnerable until it incorporates the fix contained in the upstream pull request linking to the revocation logic.
Risk and Exploitability
The CVSS score of 9.3 indicates a critical severity, and although no EPSS score is available, the issue is not listed in the CISA KEV catalog, suggesting it is still unexploited publicly. The attack vector likely requires the attacker to submit a malicious opaque token or a token obtained from an unauthorized provider that deliberately omits the issuer field. If the tooling is exposed to a broad set of users, an attacker who can force the toolbox to introspect a crafted token could bypass authentication and gain full control of database management functions.
OpenCVE Enrichment
Github GHSA