Executive Summary

CVE-2026-34742 is a security vulnerability in the Model Context Protocol (MCP) Go SDK versions prior to 1.4.0. The issue arises because DNS rebinding protection was not enabled by default for HTTP-based MCP servers running on localhost. DNS rebinding attacks allow malicious websites to bypass same-origin policy restrictions by manipulating DNS responses, enabling them to send unauthorized requests to local MCP servers.

Specifically, when an MCP server runs on localhost without authentication using StreamableHTTPHandler or SSEHandler, an attacker can exploit this vulnerability to invoke tools or access resources exposed by the MCP server on behalf of the user.

The vulnerability was addressed in version 1.4.0 of the SDK by introducing automatic DNS rebinding protection. This protection validates that requests arriving via localhost IP addresses (127.0.0.1 or ::1) have a Host header corresponding to a localhost value. Requests with non-localhost Host headers are rejected with a 403 Forbidden response, preventing DNS rebinding attacks.

This protection is enabled by default without requiring code changes, but can be explicitly disabled by users who understand the security implications.

Useful 0 Not Useful 0

Impact Analysis

If you run an HTTP-based MCP server on localhost without authentication and with a vulnerable SDK version (prior to 1.4.0), a malicious website could exploit DNS rebinding to bypass browser same-origin policies.

This exploitation allows the attacker to send unauthorized requests to your local MCP server, potentially invoking tools or accessing sensitive resources exposed by the server on your behalf.

Such unauthorized access could lead to compromise of local services, unauthorized actions, or data exposure within the limited context of the local MCP server.

The vulnerability has a high severity rating (CVSS v4 base score 7.6) due to its potential to impact confidentiality and integrity without requiring privileges or user interaction.

Upgrading to version 1.4.0 or later mitigates this risk by enabling DNS rebinding protection by default.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows DNS rebinding attacks to bypass same-origin policy restrictions and send unauthorized requests to local MCP servers running on localhost without authentication. This could enable attackers to invoke tools or access resources on behalf of the user, potentially leading to unauthorized access to sensitive data.

Such unauthorized access risks could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure handling of data.

By enabling DNS rebinding protection by default in version 1.4.0, the MCP Go SDK mitigates this risk, helping users maintain better security posture and compliance with these standards by preventing local server compromise through DNS rebinding attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves DNS rebinding attacks targeting HTTP-based MCP servers running on localhost without authentication. Detection involves verifying if the MCP server is running a vulnerable version prior to 1.4.0 and if DNS rebinding protection is enabled.

Since the protection mechanism validates the Host header against the actual connection address and rejects requests with non-localhost Host headers arriving via localhost IPs, you can detect attempts by monitoring HTTP 403 Forbidden responses from the MCP server when requests have suspicious Host headers.

To detect the vulnerability on your system, you can check the version of the MCP Go SDK in use. If it is older than 1.4.0, it is vulnerable.

For network detection, you can monitor HTTP requests to the MCP server on localhost (127.0.0.1 or ::1) and look for requests with Host headers that do not match localhost values. Such requests should be rejected with HTTP 403 if protection is enabled.

Suggested commands (assuming you have access to the server logs or can capture traffic):

• Use netstat or ss to check if MCP server is listening on localhost ports: `netstat -tulnp | grep <mcp-port>` or `ss -tulnp | grep <mcp-port>`
• Check the version of the MCP Go SDK used by your application to confirm if it is prior to 1.4.0.
• Monitor HTTP logs for 403 Forbidden responses indicating rejected requests due to Host header validation.
• Capture network traffic on localhost interface and filter HTTP requests with non-localhost Host headers using tools like tcpdump or Wireshark.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the MCP Go SDK to version 1.4.0 or later, where DNS rebinding protection is enabled by default for HTTP-based MCP servers running on localhost.

If upgrading immediately is not possible, avoid running HTTP-based MCP servers on localhost without authentication, especially using StreamableHTTPHandler or SSEHandler.

Ensure that DNS rebinding protection is enabled by default. If you have explicitly disabled it via the `DisableLocalhostProtection` option or the debug flag `disablelocalhostprotection`, re-enable it.

If you use a reverse proxy (e.g., Envoy or nginx) forwarding requests to the MCP server via localhost, configure the proxy to rewrite the Host header to a localhost value to avoid legitimate requests being rejected.

As a security best practice, always run MCP servers with authentication enabled to prevent unauthorized access.

Useful 0 Not Useful 0