CVE-2026-11624

Received
Published: 13 Jun 2026, 08:38
Last modified:13 Jun 2026, 08:38

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.4 CRITICAL
v4.0 (cve.org)
EPSS Score
<0.01% LOW
0% probability
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

13 Jun 2026, 08:38
Published
Vulnerability first disclosed

Description

The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations.

CVSS Metrics

  • v4.0CRITICALScore: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
  • v4.0CRITICALScore: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Trends

Current EPSS score: 0.01% Percentile: 1%

Techniques & Countermeasures

  • CWE-346Origin Validation Error

    The product does not properly verify that the source of data or communication is valid.

Affected Systems

  • googlemcp toolbox for databases

    < 0.25.0

References (2)