← voltar
CVE-2026-9739

CVE-2026-9739

CVSS 9.4 CRITICALEPSS 0.3%CWE-942
Vexday Risk Score
28Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 9.4EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
27 mai 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Produtos afetados
Google · MCP Toolbox for Databases

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/googleapis/mcp-toolbox/issues/3053https://github.com/googleapis/mcp-toolbox/pull/3054