CVE-2026-11717
Received Received - Intake
Authentication Bypass in MCP Toolbox via Missing Active Field

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Google Inc.

Description
An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where the Active field is declared as a pointer to a boolean (*bool). The code only explicitly rejects a token if the response contains a populated active field set to false (if introspectResp.Active != nil && !*introspectResp.Active). If an introspection endpoint responds with a payload that completely omits the mandatory active key, the internal variable remains nil, causing the conditional check to short-circuit. As a result, Toolbox accepts authorization tokens missing the "active" field, granting access to protected tools and underlying data sources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-11717
EUVD
EUVD-2026-37879
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
googleapis mcp-toolbox 1.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in the googleapis/mcp-toolbox allows authentication bypass due to improper handling of OAuth token validation, potentially granting unauthorized access to protected tools and underlying data sources.

Such unauthorized access risks exposure of sensitive information, which can lead to non-compliance with common standards and regulations like GDPR and HIPAA that mandate strict access controls and protection of personal and sensitive data.

By allowing tokens missing the mandatory "active" field to be accepted, the system fails to enforce proper authentication, increasing the risk of data breaches and unauthorized data processing, which are critical compliance concerns under these regulations.

Executive Summary

This vulnerability is an authentication bypass in the googleapis/mcp-toolbox's generic opaque token validation process. When the toolbox verifies an OAuth 2.0 token via an introspection endpoint, it expects a mandatory "active" field in the response to determine if the token is valid. However, if the introspection response omits this "active" field entirely, the toolbox mistakenly treats the token as valid, granting unauthorized access.

The root cause is that the code only rejects tokens explicitly marked as inactive (active field set to false), but does not handle the case where the active field is missing, leading to acceptance of potentially invalid tokens.

The vulnerability was fixed by separating Google and generic MCP OAuth verification, enforcing stricter validation of the "active" field, and improving overall token validation logic.

Impact Analysis

This vulnerability can allow attackers to bypass authentication controls by presenting tokens that lack the mandatory "active" field, which the system incorrectly accepts as valid.

As a result, unauthorized users could gain access to protected tools and sensitive underlying data sources within the googleapis/mcp-toolbox environment.

This could lead to exposure of sensitive information, unauthorized actions, and compromise of system integrity.

Detection Guidance

Detection of this vulnerability involves checking whether the OAuth 2.0 introspection endpoint responses omit the mandatory "active" field in the token validation response. Specifically, you should monitor and analyze introspection responses to see if tokens without the "active" field are being accepted.

You can use network traffic inspection tools like curl or tcpdump to capture and inspect OAuth introspection responses. For example, using curl to query the introspection endpoint and check the response payload:

  • curl -X POST -d 'token=YOUR_TOKEN' https://your-introspection-endpoint/oauth2/introspect

Then verify if the JSON response contains the "active" field. If the field is missing or null, and the system accepts the token, it indicates the vulnerability.

Mitigation Strategies

Immediate mitigation involves updating the googleapis/mcp-toolbox to version 1.4.0 or later, which includes the fix for this vulnerability.

The fix separates Google and generic MCP OAuth verification processes, enforces stricter validation of the "active" field in OAuth tokens, and improves issuer validation. Applying this update will prevent acceptance of tokens missing the "active" field.

Additionally, review your authentication logs and token validation logic to ensure tokens without the "active" field are rejected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11717. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart