CVE-2026-9739
Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790)
Published: 2026-05-27 · Last updated: 2026-05-29
Severity and scoring
- CWE
- CWE-942
Description
Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-10056 — CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security... (7.5 HIGH)
- CVE-2026-46685 — RustFS is a distributed object storage system built in Rust
- CVE-2026-45021 — Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs
- CVE-2026-44895 — GitLab MCP Server lets an AI agent talk directly to GitLab
- CVE-2026-46431 — Algernon is a small self-contained pure-Go web server (4.3 MEDIUM)