CVE-2026-9739
DNS Rebinding in Toolbox SSE Implementation
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Google Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves DNS rebinding attacks when using Server-Sent Events (SSE). During the beta phase, security measures such as `allowed-origins` and `allowed-hosts` flags were implemented to follow security guidelines. However, a hardcoded header `Access-Control-Allow-Origin: *` remained in the SSE initialization handler, which allows any origin to access the resource. This flaw specifically affects users connecting via Toolbox using SSE under specification v2024-11-05.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform DNS rebinding attacks, potentially bypassing same-origin policies. This means an attacker could trick a user's browser into interacting with internal or restricted network resources via the vulnerable SSE connection, leading to unauthorized access or data exposure.