平台
java
组件
io.modelcontextprotocol.sdk:mcp-core
修复版本
1.0.1
1.0.0
CVE-2026-35568描述了io.modelcontextprotocol.sdk中的DNS rebinding漏洞,允许攻击者利用受害者的浏览器访问私有MCP服务器。此漏洞可能导致攻击者以本地MCP连接AI代理的身份执行任意工具调用,从而造成潜在的安全风险。该漏洞影响io.modelcontextprotocol.sdk:mcp-core版本小于或等于1.0.0-RC3。该漏洞已在1.0.0版本中修复。
The core of this vulnerability lies in the lack of Origin header validation prior to version 1.0.0. This omission violates the Model Context Protocol (MCP) specification. An attacker can leverage DNS rebinding to trick a victim's browser into believing it's communicating with a legitimate, locally-trusted MCP server, when in reality, it's connecting to a server controlled by the attacker. This allows the attacker to execute arbitrary tool calls to the MCP server as if they were a locally running AI agent. The potential impact is significant, as an attacker could exfiltrate sensitive data, manipulate system behavior, or even gain a foothold for further attacks within the affected environment. While no direct precedent is cited, the technique shares similarities with other DNS rebinding attacks that have been used to bypass security measures and gain unauthorized access.
CVE-2026-35568 was published on 2026-04-07. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the DNS rebinding technique is well-understood and readily exploitable. Active exploitation campaigns are not currently confirmed, but the ease of exploitation suggests a potential risk.
Organizations deploying applications that utilize the io.modelcontextprotocol.sdk (mcp-core) library, particularly those with network-adjacent deployments or where user browsers have access to both local and remote resources, are at risk. Shared hosting environments where multiple users share the same MCP server are also particularly vulnerable.
• java / server: Monitor application logs for requests with unexpected or missing Origin headers.
grep 'Origin:' /path/to/application.log | sort | uniq -c | sort -nr• generic web: Use curl to test endpoint exposure and examine response headers for the Origin header.
curl -I https://your-mcp-server/api/endpoint• generic web: Check access/error logs for unusual patterns related to DNS resolution and requests from unexpected IP addresses.
disclosure
漏洞利用状态
EPSS
0.03% (7% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-35568 is to immediately upgrade to version 1.0.0 of the io.modelcontextprotocol.sdk (mcp-core). This version includes the necessary Origin header validation to prevent DNS rebinding attacks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with rules to strictly validate the Origin header and block requests with unexpected or invalid values. Additionally, review your network configuration to ensure that MCP servers are not exposed to untrusted networks. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual Origin header values in your logs is recommended.
Actualice a la versión 1.0.0 o superior del MCP Java SDK para mitigar la vulnerabilidad de reencuadre de DNS. Esta actualización corrige el problema al validar correctamente las direcciones IP y evitar el acceso no autorizado a los servidores MCP.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-35568是一个io.modelcontextprotocol.sdk:mcp-core组件中的DNS rebinding漏洞,允许攻击者通过受害者的浏览器访问私有MCP服务器,并可能执行任意工具调用。
如果您正在使用io.modelcontextprotocol.sdk:mcp-core版本小于或等于1.0.0-RC3,则可能受到此漏洞的影响。
已在io.modelcontextprotocol.sdk:mcp-core 1.0.0版本中修复此漏洞。请升级到最新版本。
上传你的 pom.xml 文件,立即知道是否受影响。