Description
RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.
Published: 2026-05-14
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Streamable HTTP server transport in the RMCP Rust SDK fails to validate the incoming Host header, enabling a malicious external site to perform a DNS rebinding attack. By resolving a domain to the victim's loopback or private network address, the attacker can send authenticated requests that the server accepts, potentially exposing privileged functionality or executing commands on the host.

Affected Systems

This weakness exists in all releases of the rmcp crate prior to version 1.4.0 from the modelcontextprotocol:rust-sdk collection. Any deployment relying on these earlier versions is vulnerable; the fix is delivered in 1.4.0 and later.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity. The EPSS score is not available, but the nature of the attack relies on an attacker controlling a DNS domain and an accessible internal interface, giving the attack vector a network level. Because the result is unauthorized internal communication, the risk to confidentiality and integrity is significant, and the possibility of exploitation remains; it is not yet listed in KEV.

Generated by OpenCVE AI on May 14, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the rmcp crate to version 1.4.0 or later to enforce Host header validation.
  • If upgrading is not immediately possible, implement validation that rejects unexpected or external Host headers in incoming HTTP requests.
  • Restrict the Service to internal networks only and block inbound connections from the public network or apply firewall rules to prevent DNS rebinding exploits.

Generated by OpenCVE AI on May 14, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-89vp-x53w-74fx rmcp Streamable HTTP server transport has a DNS rebinding vulnerability
History

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.
Title RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP server transport
Weaknesses CWE-346
CWE-350
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T16:00:33.149Z

Reserved: 2026-04-28T16:56:50.192Z

Link: CVE-2026-42559

cve-icon Vulnrichment

Updated: 2026-05-14T16:00:29.092Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T15:16:46.750

Modified: 2026-05-14T17:19:49.973

Link: CVE-2026-42559

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T16:30:24Z

Weaknesses