Description
Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.
Published: 2026-05-27
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A hardcoded Access‑Control‑Allow‑Origin: * header in the Server‑Side‑Events (SSE) initialization handler for Google MCP Toolbox for Databases allows DNS rebinding attacks when users connect via SSE under specification v2024‑11‑05. Based on the description, the attacker can manipulate the DNS resolution of the client to redirect the browser to arbitrary destinations after the initial connection, causing the browser to issue requests to malicious servers while still trusting the Toolbox endpoint. This bypasses the same‑origin policy and can lead to unintended data exposure or unauthorized manipulation of database operations.

Affected Systems

Google MCP Toolbox for Databases, beta period. The vulnerability affects users connecting with SSE using the v2024‑11‑05 specification. No other product versions are indicated as impacted.

Risk and Exploitability

With a CVSS score of 9.4 the vulnerability is of high severity. EPSS data is not available and the issue is not listed in CISA KEV. Based on the description, the likely attack vector requires an attacker who can control DNS for a target domain to force a client using Toolbox to rebind the origin after the initial request. Because the tool exposes a wildcard Access‑Control‑Allow‑Origin header, the browser will accept cross‑site requests, making the attack plausible and impactful for any user who runs Toolbox in a browser environment.

Generated by OpenCVE AI on May 28, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from GitHub pull request #3054 to remove the wildcard CORS header and enforce allowed‑origins and allowed‑hosts flags.
  • If the patch cannot be applied immediately, disable the SSE feature or configure it to accept requests only from trusted hosts.
  • Monitor logs for unexpected CORS requests or DNS rebind patterns and coordinate with network security to block malicious domains.

Generated by OpenCVE AI on May 28, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google mcp Toolbox For Databases
Vendors & Products Google
Google mcp Toolbox For Databases

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title DNS Rebinding via SSE Causing CORS Bypass in MCP Toolbox for Databases

Wed, 27 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.
Weaknesses CWE-942
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Google Mcp Toolbox For Databases
cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-05-28T13:20:43.816Z

Reserved: 2026-05-27T17:31:41.604Z

Link: CVE-2026-9739

cve-icon Vulnrichment

Updated: 2026-05-28T13:19:59.632Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T23:16:48.573

Modified: 2026-05-29T15:42:56.873

Link: CVE-2026-9739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:49:47Z

Weaknesses