DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-35568: CVE-2026-35568: DNS Rebinding Vulnerability in MCP Java-SDK Server Transport Layer

#security #cve #cybersecurity

CVE-2026-35568: DNS Rebinding Vulnerability in MCP Java-SDK Server Transport Layer

Vulnerability ID: CVE-2026-35568
CVSS Score: 7.6
Published: 2026-04-07

The MCP Java SDK prior to version 1.0.0 contains a high-severity DNS rebinding vulnerability (CVE-2026-35568) due to the absence of Origin and Host header validation in the server transport layer. This flaw permits remote attackers to execute unauthorized JSON-RPC commands on a local MCP server by weaponizing a victim's web browser, potentially leading to remote code execution.

TL;DR

Missing Origin validation in MCP Java SDK < 1.0.0 allows DNS rebinding attacks, enabling unauthorized local JSON-RPC command execution.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-346, CWE-350
  • Attack Vector: Network
  • CVSS 4.0 Score: 7.6 (High)
  • Impact: Unauthorized JSON-RPC Command Execution / RCE
  • Exploit Status: Proof of Concept (PoC)
  • CISA KEV: Not Listed

Affected Systems

  • MCP Java SDK Transport Layer (SSE/Servlets)
  • Local AI Agents utilizing mcp-core
  • mcp-spring-webflux (Pre-1.0.0)
  • mcp-spring-webmvc (Pre-1.0.0)
  • MCP Java SDK: < 1.0.0 (Fixed in: 1.0.0)

Code Analysis

Commit: 4c1c3d8

Implementation of security validators and refactoring of McpTransportContext to handle security headers.

Mitigation Strategies

  • Upgrade MCP Java SDK to version 1.0.0 or later.
  • Migrate Spring-based web components to the Spring AI project.
  • Deploy a reverse proxy to enforce strict Host and Origin header validation.
  • Implement framework-level CORS restrictions explicitly denying unauthorized origins.

Remediation Steps:

  1. Identify all projects utilizing the io.modelcontextprotocol.sdk:mcp-core dependency.
  2. Update the dependency version in pom.xml or build.gradle to 1.0.0.
  3. Ensure the application properly initializes the new McpTransportContext.
  4. Validate the implementation by sending a test request with an unauthorized Origin header and verifying a 403 Forbidden response.
  5. Review the exposed MCP tools and apply the principle of least privilege to the server's capabilities.

References

Read the full report for CVE-2026-35568 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)