QSearchQSearch

CVE-2026-11624

The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent...

Published: 2026-06-13 · Last updated: 2026-06-13

Severity and scoring

CWE
CWE-346

Description

The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-45173 Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its...
  • CVE-2026-12032 Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromis... (3.1 LOW)
  • CVE-2026-12024 Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.115 allowed a remote attacker to bypass same origin poli... (6.5 MEDIUM)
  • CVE-2026-41700 Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking (8.1 HIGH)
  • CVE-2026-42558 Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)