HarborGuard / CVE
Back to search
CRITICALCVE-2026-9739Published Modified CNA Google

CVE-2026-9739: Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790)

Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.

HarborGuard Analysis

HarborGuard analysis

Synopsis

DNS rebinding combined with a CORS bypass vulnerability affects Google MCP Toolbox for Databases when clients connect via Server-Sent Events (SSE) under specification v2024-11-05. The SSE initialization handler incorrectly retains a hardcoded 'Access-Control-Allow-Origin: *' header, overriding the intended 'allowed-origins' and 'allowed-hosts' restrictions and exposing the service to any origin over the network without authentication. A successful attack gives an adversary full read, write, and availability impact on both the vulnerable component and any connected systems. A patched-image rebuild at PR 3054 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9739 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that package MCP Toolbox for Databases.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 9.4 (CRITICAL) and weighting it against each environment's compliance policy to surface it at the appropriate severity tier. Routing to the correct team inbox within a customer org is handled automatically based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild pinned to PR 3054 (Fix CORS bypass) becomes available through HarborGuard once the fix version is resolvable from upstream. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the SSE endpoint over the network; the service is exposed remotely, making it accessible to any network-reachable client including browsers executing cross-origin requests.

  • AuthenticationNot required

    No credentials are needed; the misconfigured wildcard CORS header allows any origin to initiate SSE connections without presenting authentication material.

  • Victim interactionRequired

    The attack requires a user to visit or be directed to a malicious page that initiates the DNS rebinding sequence, making browser-side victim interaction a necessary step in the exploit chain.

  • Attack complexityDetail

    Exploit conditions are reliable and condition-free; no race conditions, specific memory layouts, or unusual environmental prerequisites are required to carry out the attack.

Blast Radius

  • Reads sensitive data from the database-connected service, including query results, session context, and any credentials or tokens accessible through the Toolbox API.
  • Modifies or deletes persisted data via unauthorized write operations routed through the compromised SSE connection.
  • Crashes or degrades the MCP Toolbox service, disrupting database access for all dependent applications.
  • Pivots laterally to connected systems (SC:H/SI:H/SA:H) by leveraging the Toolbox's trusted database credentials to reach backend data stores beyond the immediate container.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9739 is active the moment the advisory is ingested, matching any image that bundles an affected version of MCP Toolbox for Databases (all versions before PR 3054). For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version, executes a regression run, and opens a pull request against affected workloads; for CRITICAL-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review, the CVE is surfaced in the appropriate team inbox with full CVSS v4.0 context and remediation guidance. As an interim compensating control while the rebuild is reviewed, consider applying a network policy that restricts SSE endpoint access to known-trusted origins, and audit any 'allowed-origins' or 'allowed-hosts' flag configurations to confirm they are not being silently overridden at the handler level.

See how HarborGuard automates this

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
PR 3054 (Fix CORS bypass)
Affected Products
1

Fix available

PR 3054 (Fix CORS bypass)
Affected packages
  • Google / MCP Toolbox for Databases
    < PR 3054 (Fix CORS bypass) (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References