Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for rust-sdk by modelcontextprotocol

    CVE-2026-42559 (GCVE-0-2026-42559)

    Vulnerability from nvd – Published: 2026-05-14 14:24 – Updated: 2026-05-14 16:00
    VLAI
    Title
    RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP server transport
    Summary
    RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    • CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42559",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T16:00:22.834947Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T16:00:33.149Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-sdk",
              "vendor": "modelcontextprotocol",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.4.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate\u0027s Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim\u0027s loopback or private-network interface. This vulnerability is fixed in 1.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-350",
                  "description": "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-14T14:24:56.090Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx"
            },
            {
              "name": "https://github.com/modelcontextprotocol/rust-sdk/issues/815",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/815"
            },
            {
              "name": "https://github.com/modelcontextprotocol/rust-sdk/issues/822",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/822"
            },
            {
              "name": "https://github.com/modelcontextprotocol/rust-sdk/pull/764",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/modelcontextprotocol/rust-sdk/pull/764"
            },
            {
              "name": "https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3"
            }
          ],
          "source": {
            "advisory": "GHSA-89vp-x53w-74fx",
            "discovery": "UNKNOWN"
          },
          "title": "RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP server transport"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42559",
        "datePublished": "2026-05-14T14:24:56.090Z",
        "dateReserved": "2026-04-28T16:56:50.192Z",
        "dateUpdated": "2026-05-14T16:00:33.149Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42559 (GCVE-0-2026-42559)

    Vulnerability from cvelistv5 – Published: 2026-05-14 14:24 – Updated: 2026-05-14 16:00
    VLAI
    Title
    RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP server transport
    Summary
    RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    • CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42559",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T16:00:22.834947Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T16:00:33.149Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "rust-sdk",
              "vendor": "modelcontextprotocol",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.4.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate\u0027s Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim\u0027s loopback or private-network interface. This vulnerability is fixed in 1.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-350",
                  "description": "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-14T14:24:56.090Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx"
            },
            {
              "name": "https://github.com/modelcontextprotocol/rust-sdk/issues/815",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/815"
            },
            {
              "name": "https://github.com/modelcontextprotocol/rust-sdk/issues/822",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/822"
            },
            {
              "name": "https://github.com/modelcontextprotocol/rust-sdk/pull/764",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/modelcontextprotocol/rust-sdk/pull/764"
            },
            {
              "name": "https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3"
            }
          ],
          "source": {
            "advisory": "GHSA-89vp-x53w-74fx",
            "discovery": "UNKNOWN"
          },
          "title": "RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP server transport"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42559",
        "datePublished": "2026-05-14T14:24:56.090Z",
        "dateReserved": "2026-04-28T16:56:50.192Z",
        "dateUpdated": "2026-05-14T16:00:33.149Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }