Platform
java
Component
io.modelcontextprotocol.sdk:mcp-core
Opgelost in
1.0.1
1.0.0
Een DNS rebinding kwetsbaarheid is ontdekt in de java-sdk van io.modelcontextprotocol.sdk, waardoor een aanvaller mogelijk toegang kan krijgen tot een MCP server via de browser van een slachtoffer. Dit kan leiden tot ongeautoriseerde tool calls, alsof de aanvaller een lokaal verbonden AI agent is. De kwetsbaarheid treft versies van de sdk tot en met 1.0.0-RC3, maar is verholpen in versie 1.0.0.
The core of this vulnerability lies in the lack of Origin header validation prior to version 1.0.0. This omission violates the Model Context Protocol (MCP) specification. An attacker can leverage DNS rebinding to trick a victim's browser into believing it's communicating with a legitimate, locally-trusted MCP server, when in reality, it's connecting to a server controlled by the attacker. This allows the attacker to execute arbitrary tool calls to the MCP server as if they were a locally running AI agent. The potential impact is significant, as an attacker could exfiltrate sensitive data, manipulate system behavior, or even gain a foothold for further attacks within the affected environment. While no direct precedent is cited, the technique shares similarities with other DNS rebinding attacks that have been used to bypass security measures and gain unauthorized access.
CVE-2026-35568 was published on 2026-04-07. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the DNS rebinding technique is well-understood and readily exploitable. Active exploitation campaigns are not currently confirmed, but the ease of exploitation suggests a potential risk.
Organizations deploying applications that utilize the io.modelcontextprotocol.sdk (mcp-core) library, particularly those with network-adjacent deployments or where user browsers have access to both local and remote resources, are at risk. Shared hosting environments where multiple users share the same MCP server are also particularly vulnerable.
• java / server: Monitor application logs for requests with unexpected or missing Origin headers.
grep 'Origin:' /path/to/application.log | sort | uniq -c | sort -nr• generic web: Use curl to test endpoint exposure and examine response headers for the Origin header.
curl -I https://your-mcp-server/api/endpoint• generic web: Check access/error logs for unusual patterns related to DNS resolution and requests from unexpected IP addresses.
disclosure
Exploit Status
EPSS
0.03% (7% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-35568 is to immediately upgrade to version 1.0.0 of the io.modelcontextprotocol.sdk (mcp-core). This version includes the necessary Origin header validation to prevent DNS rebinding attacks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with rules to strictly validate the Origin header and block requests with unexpected or invalid values. Additionally, review your network configuration to ensure that MCP servers are not exposed to untrusted networks. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual Origin header values in your logs is recommended.
Actualice a la versión 1.0.0 o superior del MCP Java SDK para mitigar la vulnerabilidad de reencuadre de DNS. Esta actualización corrige el problema al validar correctamente las direcciones IP y evitar el acceso no autorizado a los servidores MCP.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-35568 is a HIGH severity DNS rebinding vulnerability affecting the io.modelcontextprotocol.sdk (mcp-core) library, allowing attackers to access MCP servers through a victim's browser.
You are affected if you are using io.modelcontextprotocol.sdk versions 1.0.0-RC3 or earlier.
Upgrade to version 1.0.0 of io.modelcontextprotocol.sdk. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
Active exploitation campaigns are not currently confirmed, but the vulnerability is considered readily exploitable.
Refer to the Model Context Protocol specification and related documentation for details: https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warnin
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.