Description
An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers.

While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler).
Published: 2026-06-18
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authorization bypass flaw exists in MCP Toolbox for Databases that allows an authenticated user with low‑privilege access to execute high‑privilege tools. The vulnerability arises because older protocol handlers do not enforce the scopesRequired restriction, permitting a client that owns a read‑token to run admin‑level operations simply by selecting an outdated protocol version or omitting the header entirely. The result is a significant breach of confidentiality and integrity, effectively enabling privilege escalation for an attacker who can authenticate to the service.

Affected Systems

The affected component is Google’s MCP Toolbox for Databases, specifically the protocol handlers for the versions 2025‑06‑18, 2025‑03‑26, and 2024‑11‑05. Any deployment that supports these legacy handlers is susceptible when clients can present an authenticated but low‑privilege token.

Risk and Exploitability

The CVSS score of 8.6 reflects a high severity impact and a medium to high likelihood of exploitation, as the flaw can be triggered with minimal effort by an authenticated user. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog. The attack vector is inferred to be authenticated, with an attacker simply setting the MCP‑Protocol‑Version header to a vulnerable value or omitting the header to force the server to use the default 2024‑11‑05 handler. Such a path requires no special privileges beyond those the lowest‑level tokens provide, making exploitation straightforward for users with access to the system.

Generated by OpenCVE AI on June 18, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MCP Toolbox for Databases release that uses the 2025‑11‑25 protocol handler or newer; this version enforces per‑tool scope restrictions correctly.
  • Ensure all client applications explicitly include the MCP‑Protocol‑Version header with the value 2025‑11‑25 (or the newest supported version) and do not allow omission of the header. This prevents automatic fallback to vulnerable handlers.
  • If an immediate upgrade is not feasible, revoke or restrict low‑privilege tokens (e.g., read) from accessing tools that require higher scopes, and monitor logs for any unauthorized tool invocation attempts.

Generated by OpenCVE AI on June 18, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5gf6-gc35-xjpc MCP Toolbox for Databases: authenticated authorization bypass
History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google mcp Toolbox For Databases
Vendors & Products Google
Google mcp Toolbox For Databases

Thu, 18 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Authenticated Authorization Bypass via Old Protocol Versions in MCP Toolbox for Databases

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler).
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Subscriptions

Google Mcp Toolbox For Databases
cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-06-18T13:53:08.793Z

Reserved: 2026-06-09T00:53:57.846Z

Link: CVE-2026-11719

cve-icon Vulnrichment

Updated: 2026-06-18T12:55:48.454Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:56:16Z

Weaknesses