CVE-2026-35568
DNS Rebinding in MCP Java SDK Allows Unauthorized Local Access
Publication date: 2026-04-07
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lfprojects | mcp_java_sdk | to 1.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the MCP Java SDK versions prior to 1.0.0 and is a DNS rebinding vulnerability.
It allows an attacker to access a locally or network-private MCP server through a victim's browser that is either local or on the same network.
This means the attacker can make any tool call to the MCP server as if they were a locally running MCP connected AI agent.
The vulnerability is fixed in version 1.0.0 of the MCP Java SDK.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to remotely interact with the MCP Java SDK server as if they were a trusted local AI agent.
Such unauthorized access could lead to unauthorized commands being executed on the server, potentially compromising the integrity and confidentiality of the system.
Because the attacker can make any tool call, this could lead to data exposure, manipulation, or disruption of services provided by the MCP server.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in MCP Java SDK version 1.0.0. Immediate mitigation involves upgrading the java-sdk to version 1.0.0 or later.