HIGHCVE-2026-42559Published Modified CNA GitHub_M
CVE-2026-42559: RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP server transport
RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
Affected packages
- modelcontextprotocol / rust-sdk< 1.4.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
- https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx
- https://github.com/modelcontextprotocol/rust-sdk/issues/815
- https://github.com/modelcontextprotocol/rust-sdk/issues/822
- https://github.com/modelcontextprotocol/rust-sdk/pull/764
- https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3