HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11624Published Modified CNA Google

CVE-2026-11624: The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks

The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
0.25.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a DNS rebinding vulnerability in Google MCP Toolbox for Databases, affecting all versions prior to 0.25.0. The server failed to validate the Origin header on incoming connections, allowing a remote attacker to trick a victim's browser into making cross-origin requests to the local MCP server as if they originated from a trusted source. Successful exploitation gives an attacker full read, write, and availability control over the affected service and any connected systems. A patched-image rebuild at version 0.25.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle MCP Toolbox for Databases. Any image containing a version below 0.25.0 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.4 (Critical) using the upstream v4.0 vector and weighs it against each environment's compliance policy to set urgency. The resulting alert is routed to the appropriate team inbox within the customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at version 0.25.0 becomes available in HarborGuard as soon as the fix version is confirmed against the affected image layer. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against the affected workload manifests.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the MCP Toolbox server over the network, since the attack vector is Network (AV:N).

  • AuthenticationNot required

    No credentials are needed to attempt this attack; the CVSS vector specifies PR:N, meaning any unauthenticated party can initiate the exploit.

  • Victim interactionRequired

    The attack requires a victim to interact, such as visiting a malicious web page that performs the DNS rebinding request on their behalf (UI:A).

  • Attack complexityDetail

    Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

  • Reads confidential data handled by the MCP server and its connected databases, including credentials, query results, and stored records (VC:H).
  • Modifies or deletes data in connected database systems, since integrity impact is High for both the vulnerable component and downstream systems (VI:H, SI:H).
  • Crashes or degrades the MCP server and any services it connects to, given High availability impact across both the vulnerable and subsequent components (VA:H, SA:H).
  • Pivots laterally into systems reachable through the MCP Toolbox server's database connections, extending the attacker's foothold beyond the initial target (SC:H).

How HarborGuard Handles This

Available on HarborGuard: images containing MCP Toolbox for Databases below version 0.25.0 are matched against this CVE within minutes of publication. For customers who opt into auto-remediation, HarborGuard rebuilds the image at version 0.25.0 (which introduces the --allowed-hosts flag alongside --allowed-origins), runs a regression test, and opens a pull request against affected workloads. The median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and the finding is routed to the responsible team for review. Until the patched image is deployed, compensating controls to consider include network-policy rules that restrict which origins can reach the MCP Toolbox port and egress filtering to limit the server's outbound database connectivity to known-good hosts.

See how HarborGuard automates this

Fix available

0.25.0
Affected packages
  • Google / MCP Toolbox for Databases
    < 0.25.0 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References