CVE-2026-34237
6.1 MEDIUMMCP Java SDK is the official Java SDK for Model Context Protocol servers and clients
Published: 2026-03-31 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 6.1 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-942
Affected products
| Vendor | Product |
|---|---|
| lfprojects | mcp_java_sdk |
Description
MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 0.83.0, 1.0.1, and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 0.83.0, 1.0.1, and 1.1.1.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-34237
- [Patch]https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289
- [Patch]https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525
- [Vendor advisory]https://github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-8mjj-jw22
Related CVEs
Same vendor
- CVE-2026-10803 — A flaw has been found in MLflow up to 3.10.0 (3.6 LOW)
- CVE-2026-4035 — A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which... (7.7 HIGH)
- CVE-2026-3198 — MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints (6.5 MEDIUM)
- CVE-2026-2651 — A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifac... (9.0 CRITICAL)
- CVE-2026-2734 — In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack... (6.5 MEDIUM)
Same CWE
- CVE-2026-50088 — The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cro... (8.2 HIGH)
- CVE-2026-50087 — The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942:... (8.2 HIGH)
- CVE-2026-10056 — CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security... (7.5 HIGH)
- CVE-2026-46685 — RustFS is a distributed object storage system built in Rust
- CVE-2026-45021 — Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs