HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11717Published Modified CNA Google

CVE-2026-11717: An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox

An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where the Active field is declared as a pointer to a boolean (*bool). The code only explicitly rejects a token if the response contains a populated active field set to false (if introspectResp.Active != nil && !*introspectResp.Active). If an introspection endpoint responds with a payload that completely omits the mandatory active key, the internal variable remains nil, causing the conditional check to short-circuit. As a result, Toolbox accepts authorization tokens missing the "active" field, granting access to protected tools and underlying data sources.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in the opaque token validation logic (validateOpaqueToken) of Google MCP Toolbox for Databases (googleapis/mcp-toolbox), versions 1.3.0 and earlier. The flaw is reachable over the network without any credentials: when an OAuth 2.0 token introspection endpoint returns a response that omits the required 'active' field entirely, the Go pointer (*bool) for that field remains nil, and the conditional check short-circuits, accepting the token as valid. Successful exploitation gives an unauthenticated attacker full read and write access to any tools and data sources the Toolbox instance exposes. No upstream fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-11717 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle googleapis/mcp-toolbox at version 1.3.0 or earlier. Coverage extends to both registry scans and active CI/CD pipeline checks, so newly pushed images are evaluated before they reach production.

Available
Triage

Triage is available using the CVSS v4.0 score of 9.3 (Critical), weighted against each customer environment's own compliance policy to determine escalation priority. Findings are routed to the team inboxes configured inside each customer org, so the right engineers are notified without manual filtering.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to reach the MCP Toolbox service via HTTP/HTTPS to send a crafted token and trigger the bypass.

  • AuthenticationNot required

    No credentials or pre-existing account are needed; the bypass itself is the mechanism that eliminates the authentication barrier.

  • Victim interactionNot required

    The attacker sends a direct request to the service; no user action or social engineering is involved.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable: the attacker simply presents a token whose introspection response omits the 'active' field, with no race conditions or environmental dependencies required.

Blast Radius

  • An unauthenticated attacker reads all data accessible through the Toolbox instance, including records from any connected database or data source.
  • An unauthenticated attacker writes to or modifies data in any connected database or data source exposed via protected tools.
  • Because integrity and confidentiality of the underlying data sources are fully compromised, any downstream service or application consuming that data is also affected.

How HarborGuard Handles This

Available on HarborGuard: images containing googleapis/mcp-toolbox at version 1.3.0 or earlier are flagged Critical (CVSS 9.3) as soon as they appear in a customer registry or pipeline scan. Because no upstream fix version exists at the time of publication, HarborGuard monitors the advisory on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild becomes available; for customers with auto-remediation enabled, that triggers an automatic rebuild, regression-test run, and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues in environments with auto-remediation enabled. While awaiting an upstream fix, consider applying network-policy rules to restrict access to the MCP Toolbox service to known, trusted source addresses only, and evaluate whether egress filtering can limit which introspection endpoints the Toolbox instance is permitted to contact.

See how HarborGuard automates this
Affected packages
  • Google / MCP Toolbox for Databases (googleapis/mcp-toolbox)
    ≤ 1.3.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References