CVE-2026-11624
Received Received - Intake
Model Context Protocol Origin Header Validation Bypass

Publication date: 2026-06-13

Last updated on: 2026-06-13

Assigner: Google Inc.

Description
The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-13
Last Modified
2026-06-13
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-11624
EUVD
EUVD-2026-36650
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
googleapis mcp-toolbox 0.25.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade the MCP server to version 0.25.0 or later, which introduces the --allowed-hosts flag to enable strict host validation.

Configure the server startup flags --allowed-hosts and --allowed-origins to specify only trusted hosts and origins instead of using the default wildcard "*".

This configuration activates the HostCheck middleware that validates incoming requests' host headers and rejects unauthorized hosts with a 400 Bad Request error, preventing DNS rebinding attacks.

Review updated documentation for deployment guides (Docker, GKE, Cloud Run) and CLI references to correctly apply these flags in your environment.

Executive Summary

CVE-2026-11624 is a security vulnerability in the googleapis/mcp-toolbox project related to insufficient validation of the "Origin" header in incoming connections, which exposes the server to DNS rebinding attacks.

Prior to version 0.25.0, users could not validate the origin's host, allowing attackers to exploit this by manipulating DNS to make malicious requests appear as if they come from trusted origins.

To mitigate this, version 0.25.0 introduced a new "--allowed-hosts" flag that works alongside the existing "--allowed-origins" flag to specify permitted hosts at server startup.

A new HTTP middleware called HostCheck validates incoming requests' host headers against the allowed hosts list and rejects unauthorized hosts with a 400 Bad Request error.

Both flags default to "*", allowing all hosts, but users are warned at startup about potential vulnerabilities if they do not restrict these settings.

Impact Analysis

This vulnerability allows attackers to perform DNS rebinding attacks against locally running MCP servers.

If exploited, an attacker can gain full control over the MCP server by tricking a victim into visiting a malicious website or ad.

  • Manipulate databases
  • Steal sensitive data
  • Create new resources unauthorized
  • Make unauthorized HTTP requests from the developer's computer as if acting through an MCP-connected AI agent
Detection Guidance

This vulnerability can be detected by checking if the MCP server is running with the default settings that allow all hosts and origins, which means the --allowed-hosts and --allowed-origins flags are set to "*". The server outputs a startup warning if either flag is set to "*", indicating potential vulnerability.

Additionally, you can verify if the HostCheck HTTP middleware is active, which validates incoming requests' host headers against a configured list of allowed hosts and rejects unauthorized hosts with a 400 Bad Request error.

To detect the vulnerability on your system, you can inspect the server startup logs for warnings about the --allowed-hosts or --allowed-origins flags being set to "*".

While no specific commands are provided in the resources, a practical approach is to check the running process or configuration for these flags, for example using commands like:

  • ps aux | grep mcp-toolbox
  • grep --allowed-hosts /path/to/mcp-toolbox/config or startup scripts
  • curl -v to the MCP server and observe if the Host header is validated or if unauthorized hosts are accepted.
Compliance Impact

The vulnerability in CVE-2026-11624 allows DNS rebinding attacks that can lead to unauthorized access and control over locally running MCP servers. This can result in attackers manipulating databases, stealing data, creating new resources, or making unauthorized HTTP requests from the developer's computer.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data access, protection of personal data, and prevention of unauthorized data processing.

The introduction of the --allowed-hosts flag in version 0.25.0 provides a mechanism to mitigate this risk by enabling strict host validation, which helps in enforcing access controls and reducing the risk of data exposure or unauthorized actions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11624. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart