Impact
An authorization bypass flaw exists in MCP Toolbox for Databases that allows an authenticated user with low‑privilege access to execute high‑privilege tools. The vulnerability arises because older protocol handlers do not enforce the scopesRequired restriction, permitting a client that owns a read‑token to run admin‑level operations simply by selecting an outdated protocol version or omitting the header entirely. The result is a significant breach of confidentiality and integrity, effectively enabling privilege escalation for an attacker who can authenticate to the service.
Affected Systems
The affected component is Google’s MCP Toolbox for Databases, specifically the protocol handlers for the versions 2025‑06‑18, 2025‑03‑26, and 2024‑11‑05. Any deployment that supports these legacy handlers is susceptible when clients can present an authenticated but low‑privilege token.
Risk and Exploitability
The CVSS score of 8.6 reflects a high severity impact and a medium to high likelihood of exploitation, as the flaw can be triggered with minimal effort by an authenticated user. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog. The attack vector is inferred to be authenticated, with an attacker simply setting the MCP‑Protocol‑Version header to a vulnerable value or omitting the header to force the server to use the default 2024‑11‑05 handler. Such a path requires no special privileges beyond those the lowest‑level tokens provide, making exploitation straightforward for users with access to the system.
OpenCVE Enrichment
Github GHSA