Platform
java
Component
io.modelcontextprotocol.sdk:mcp-core
Fixed in
1.0.1
1.0.0
CVE-2026-35568 describes a DNS rebinding vulnerability discovered in the io.modelcontextprotocol.sdk (mcp-core) library. This flaw allows attackers to bypass security controls and potentially gain unauthorized access to locally or network-adjacent MCP servers through a victim's web browser. The vulnerability impacts versions of the SDK up to and including 1.0.0-RC3, and a fix is available in version 1.0.0.
The core of this vulnerability lies in the lack of Origin header validation prior to version 1.0.0. This omission violates the Model Context Protocol (MCP) specification. An attacker can leverage DNS rebinding to trick a victim's browser into believing it's communicating with a legitimate, locally-trusted MCP server, when in reality, it's connecting to a server controlled by the attacker. This allows the attacker to execute arbitrary tool calls to the MCP server as if they were a locally running AI agent. The potential impact is significant, as an attacker could exfiltrate sensitive data, manipulate system behavior, or even gain a foothold for further attacks within the affected environment. While no direct precedent is cited, the technique shares similarities with other DNS rebinding attacks that have been used to bypass security measures and gain unauthorized access.
CVE-2026-35568 was published on 2026-04-07. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the DNS rebinding technique is well-understood and readily exploitable. Active exploitation campaigns are not currently confirmed, but the ease of exploitation suggests a potential risk.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35568 is to immediately upgrade to version 1.0.0 of the io.modelcontextprotocol.sdk (mcp-core). This version includes the necessary Origin header validation to prevent DNS rebinding attacks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with rules to strictly validate the Origin header and block requests with unexpected or invalid values. Additionally, review your network configuration to ensure that MCP servers are not exposed to untrusted networks. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual Origin header values in your logs is recommended.
Update to version 1.0.0 or higher of the MCP Java SDK to mitigate the DNS rebinding vulnerability. This update fixes the issue by correctly validating IP addresses and preventing unauthorized access to MCP servers.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35568 is a HIGH severity DNS rebinding vulnerability affecting the io.modelcontextprotocol.sdk (mcp-core) library, allowing attackers to access MCP servers through a victim's browser.
You are affected if you are using io.modelcontextprotocol.sdk versions 1.0.0-RC3 or earlier.
Upgrade to version 1.0.0 of io.modelcontextprotocol.sdk. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
Active exploitation campaigns are not currently confirmed, but the vulnerability is considered readily exploitable.
Refer to the Model Context Protocol specification and related documentation for details: https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warnin
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.