HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11718Published Modified CNA Google

CVE-2026-11718: An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox

An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != "" && iss != "". If the external OAuth provider's introspection response omits the optional iss (issuer) field completely, the variable iss defaults to an empty string. This causes the conditional block to evaluate to false and be skipped silently. Consequently, the application accepts tokens issued by unauthorized or unintended third-party identity providers.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in the opaque token validation logic (validateOpaqueToken) of Google MCP Toolbox for Databases (googleapis/mcp-toolbox), versions 1.3.0 and earlier. The flaw is reachable over the network with no authentication required, exploiting a logic error where a missing issuer (iss) field in an OAuth 2.0 introspection response causes issuer-checking to be silently skipped. A successful attacker can present tokens issued by unauthorized third-party identity providers and gain access as if fully authenticated, compromising confidentiality and the integrity of data the toolbox mediates. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle googleapis/mcp-toolbox at any affected version. Any image in a customer registry or CI/CD pipeline carrying mcp-toolbox at or below 1.3.0 is flagged automatically.

Available
Triage

HarborGuard scores this issue at CVSS v4.0 9.3 (Critical) and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a corrected release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as the fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable service must be reachable over the network; an attacker sends a crafted token to the exposed introspection-backed endpoint from any internet or intranet vantage point.

  • AuthenticationNot required

    No account or credential on the target system is needed; the attacker only needs to present a token from an arbitrary third-party identity provider.

  • Victim interactionNot required

    The attacker interacts directly with the service endpoint; no user action or social engineering is required.

  • Attack complexityDetail

    Exploit is reliable and condition-free: the attacker simply omits the iss field from a token introspection response or uses a provider that naturally omits it, triggering the bypass consistently.

Blast Radius

  • Reads any data accessible through the MCP Toolbox database connections, including stored records, credentials, and query results surfaced to the toolbox.
  • Modifies or deletes database rows and other persisted data that the toolbox is authorized to write, by issuing commands under a falsely accepted identity.
  • Allows an attacker to impersonate arbitrary users or service accounts by presenting tokens from unauthorized identity providers that the toolbox now silently accepts.

How HarborGuard Handles This

Available on HarborGuard: images containing googleapis/mcp-toolbox at or below version 1.3.0 are flagged as Critical the moment the CVE enters the advisory feed, with findings routed per each environment's compliance policy. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression test run and PR against affected workloads as soon as Google publishes a fix. In the interim, recommended compensating controls include restricting network access to the toolbox endpoint via Kubernetes NetworkPolicy or equivalent egress/ingress filtering, requiring a reverse proxy or API gateway that enforces strict issuer validation before requests reach the toolbox, and auditing OAuth provider configurations to ensure only expected issuers are permitted at the infrastructure level.

See how HarborGuard automates this
Affected packages
  • Google / MCP Toolbox for Databases (googleapis/mcp-toolbox)
    ≤ 1.3.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References