{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-11718/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-18T13:53:14.985Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-11718","@id":"https://www.cve.org/CVERecord?id=CVE-2026-11718","description":"An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox.\n\nWhen the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != \"\" && iss != \"\". If the external OAuth provider's introspection response omits the optional iss (is"},"products":[{"@id":"cpe:2.3:a:google:mcp_toolbox_for_databases_\\(googleapis\\/mcp-toolbox\\):*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:google:mcp_toolbox_for_databases_\\(googleapis\\/mcp-toolbox\\):*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-18T13:53:14.985Z"}]}