Vulnerability-Lookup

CVE-2026-42559 (GCVE-0-2026-42559)

Vulnerability from cvelistv5 – Published: 2026-05-14 14:24 – Updated: 2026-05-14 16:00

Title

RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP server transport

Summary

RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-346 - Origin Validation Error
CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action

Assigner

GitHub_M

References

5 references

URL	Tags
https://github.com/modelcontextprotocol/rust-sdk/…	x_refsource_CONFIRM
https://github.com/modelcontextprotocol/rust-sdk/…	x_refsource_MISC
https://github.com/modelcontextprotocol/rust-sdk/…	x_refsource_MISC
https://github.com/modelcontextprotocol/rust-sdk/…	x_refsource_MISC
https://github.com/modelcontextprotocol/rust-sdk/…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
modelcontextprotocol	rust-sdk	Affected: < 1.4.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42559",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T16:00:22.834947Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T16:00:33.149Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rust-sdk",
          "vendor": "modelcontextprotocol",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate\u0027s Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim\u0027s loopback or private-network interface. This vulnerability is fixed in 1.4.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346: Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-350",
              "description": "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T14:24:56.090Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx"
        },
        {
          "name": "https://github.com/modelcontextprotocol/rust-sdk/issues/815",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/815"
        },
        {
          "name": "https://github.com/modelcontextprotocol/rust-sdk/issues/822",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/822"
        },
        {
          "name": "https://github.com/modelcontextprotocol/rust-sdk/pull/764",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/modelcontextprotocol/rust-sdk/pull/764"
        },
        {
          "name": "https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3"
        }
      ],
      "source": {
        "advisory": "GHSA-89vp-x53w-74fx",
        "discovery": "UNKNOWN"
      },
      "title": "RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP server transport"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42559",
    "datePublished": "2026-05-14T14:24:56.090Z",
    "dateReserved": "2026-04-28T16:56:50.192Z",
    "dateUpdated": "2026-05-14T16:00:33.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42559",
      "date": "2026-05-26",
      "epss": "6e-05",
      "percentile": "0.00424"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42559\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-14T15:16:46.750\",\"lastModified\":\"2026-05-14T17:19:49.973\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate\u0027s Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim\u0027s loopback or private-network interface. This vulnerability is fixed in 1.4.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-346\"},{\"lang\":\"en\",\"value\":\"CWE-350\"}]}],\"references\":[{\"url\":\"https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/modelcontextprotocol/rust-sdk/issues/815\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/modelcontextprotocol/rust-sdk/issues/822\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/modelcontextprotocol/rust-sdk/pull/764\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42559\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-14T16:00:22.834947Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-14T16:00:29.092Z\"}}], \"cna\": {\"title\": \"RMCP: DNS rebinding vulnerability in rmcp Streamable HTTP server transport\", \"source\": {\"advisory\": \"GHSA-89vp-x53w-74fx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"modelcontextprotocol\", \"product\": \"rust-sdk\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.4.0\"}]}], \"references\": [{\"url\": \"https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx\", \"name\": \"https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/modelcontextprotocol/rust-sdk/issues/815\", \"name\": \"https://github.com/modelcontextprotocol/rust-sdk/issues/815\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/modelcontextprotocol/rust-sdk/issues/822\", \"name\": \"https://github.com/modelcontextprotocol/rust-sdk/issues/822\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/modelcontextprotocol/rust-sdk/pull/764\", \"name\": \"https://github.com/modelcontextprotocol/rust-sdk/pull/764\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3\", \"name\": \"https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate\u0027s Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim\u0027s loopback or private-network interface. This vulnerability is fixed in 1.4.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-346\", \"description\": \"CWE-346: Origin Validation Error\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-350\", \"description\": \"CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-14T14:24:56.090Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42559\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-14T16:00:33.149Z\", \"dateReserved\": \"2026-04-28T16:56:50.192Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-14T14:24:56.090Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-42559

Vulnerability from fkie_nvd - Published: 2026-05-14 15:16 - Updated: 2026-05-14 17:19

Severity

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3
	security-advisories@github.com	https://github.com/modelcontextprotocol/rust-sdk/issues/815
	security-advisories@github.com	https://github.com/modelcontextprotocol/rust-sdk/issues/822
	security-advisories@github.com	https://github.com/modelcontextprotocol/rust-sdk/pull/764
	security-advisories@github.com	https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate\u0027s Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim\u0027s loopback or private-network interface. This vulnerability is fixed in 1.4.0."
    }
  ],
  "id": "CVE-2026-42559",
  "lastModified": "2026-05-14T17:19:49.973",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-14T15:16:46.750",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/815"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/822"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/pull/764"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-346"
        },
        {
          "lang": "en",
          "value": "CWE-350"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-89VP-X53W-74FX

Vulnerability from github – Published: 2026-05-06 21:55 – Updated: 2026-05-19 20:17

Summary

rmcp Streamable HTTP server transport has a DNS rebinding vulnerability

Details

Summary

Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface — violating the MCP specification's transport security guidance.

Impact

An attacker who convinces a victim to visit a malicious page can:

Enumerate and invoke any tool exposed by a locally-running rmcp-based MCP server.
Read resources, prompts, and any state accessible via the MCP session.
Trigger side effects (file writes, shell execution, API calls, etc.) limited only by what tools the victim's server exposes.

Because MCP servers frequently run with the user's privileges and expose developer tooling (filesystems, shells, browser control, language servers, etc.), the practical impact can extend to arbitrary code execution on the victim's machine.

Affected Versions

rmcp < 1.4.0 — all prior releases of the Streamable HTTP server transport. Non-HTTP transports (stdio, child-process) are not affected.

Patched Versions

rmcp >= 1.4.0 (current: 1.5.1).

Patch

Fixed in PR #764 (commit 8e22aa2), released as v1.4.0 on 2026-04-09:

StreamableHttpServerConfig::allowed_hosts now defaults to a loopback-only allowlist: ["localhost", "127.0.0.1", "::1"].
All incoming HTTP requests pass through validate_dns_rebinding_headers(), which parses the Host header and returns HTTP 403 if the host is not on the allowlist.
Public deployments can configure an explicit allowlist via StreamableHttpService::with_allowed_hosts(...), or opt out (not recommended without an upstream reverse proxy that validates Host) via disable_allowed_hosts().

This fix validates the Host header only. Origin header validation is tracked as a defense-in-depth follow-up in #822 and is not required to block the DNS rebinding attack described here — the browser cannot forge the Host header sent to the rebound server.

Workarounds for Unpatched Users

Upgrade to rmcp >= 1.4.0.
If upgrade is not possible, place the MCP server behind a reverse proxy (e.g. nginx, Caddy) configured to reject requests whose Host header is not one of your expected hostnames.
Do not bind the MCP server to 0.0.0.0 without such a proxy.

Resources

PR: https://github.com/modelcontextprotocol/rust-sdk/pull/764
Issue: https://github.com/modelcontextprotocol/rust-sdk/issues/815
Follow-up (Origin validation): https://github.com/modelcontextprotocol/rust-sdk/issues/822
MCP transport security guidance: https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning

Related advisories (same class of vulnerability)

TypeScript SDK: GHSA-w48q-cv73-mx4w
Python SDK: GHSA-9h52-p55h-vw2f
Go SDK: GHSA-xw59-hvm2-8pj6
Java SDK: GHSA-8jxr-pr72-r468

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rmcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-350"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:55:56Z",
    "nvd_published_at": "2026-05-14T15:16:46Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nPrior to version 1.4.0, the `rmcp` crate\u0027s Streamable HTTP server transport (`crates/rmcp/src/transport/streamable_http_server/`) did not validate the incoming `Host` header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim\u0027s loopback or private-network interface \u2014 violating the MCP specification\u0027s [transport security guidance](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning).\n\n## Impact\n\nAn attacker who convinces a victim to visit a malicious page can:\n\n- Enumerate and invoke any tool exposed by a locally-running rmcp-based MCP server.\n- Read resources, prompts, and any state accessible via the MCP session.\n- Trigger side effects (file writes, shell execution, API calls, etc.) limited only by what tools the victim\u0027s server exposes.\n\nBecause MCP servers frequently run with the user\u0027s privileges and expose developer tooling (filesystems, shells, browser control, language servers, etc.), the practical impact can extend to arbitrary code execution on the victim\u0027s machine.\n\n## Affected Versions\n\n`rmcp \u003c 1.4.0` \u2014 all prior releases of the Streamable HTTP server transport. Non-HTTP transports (stdio, child-process) are not affected.\n\n## Patched Versions\n\n`rmcp \u003e= 1.4.0` (current: 1.5.1).\n\n## Patch\n\nFixed in [PR #764](https://github.com/modelcontextprotocol/rust-sdk/pull/764) (commit `8e22aa2`), released as v1.4.0 on 2026-04-09:\n\n- `StreamableHttpServerConfig::allowed_hosts` now defaults to a loopback-only allowlist: `[\"localhost\", \"127.0.0.1\", \"::1\"]`.\n- All incoming HTTP requests pass through `validate_dns_rebinding_headers()`, which parses the `Host` header and returns HTTP 403 if the host is not on the allowlist.\n- Public deployments can configure an explicit allowlist via `StreamableHttpService::with_allowed_hosts(...)`, or opt out (not recommended without an upstream reverse proxy that validates `Host`) via `disable_allowed_hosts()`.\n\nThis fix validates the `Host` header only. `Origin` header validation is tracked as a defense-in-depth follow-up in [#822](https://github.com/modelcontextprotocol/rust-sdk/issues/822) and is not required to block the DNS rebinding attack described here \u2014 the browser cannot forge the Host header sent to the rebound server.\n\n## Workarounds for Unpatched Users\n\n- Upgrade to `rmcp \u003e= 1.4.0`.\n- If upgrade is not possible, place the MCP server behind a reverse proxy (e.g. nginx, Caddy) configured to reject requests whose `Host` header is not one of your expected hostnames.\n- Do not bind the MCP server to `0.0.0.0` without such a proxy.\n\n## Resources\n\n- PR: https://github.com/modelcontextprotocol/rust-sdk/pull/764\n- Issue: https://github.com/modelcontextprotocol/rust-sdk/issues/815\n- Follow-up (Origin validation): https://github.com/modelcontextprotocol/rust-sdk/issues/822\n- MCP transport security guidance: https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning\n\n## Related advisories (same class of vulnerability)\n\n- TypeScript SDK: GHSA-w48q-cv73-mx4w\n- Python SDK: GHSA-9h52-p55h-vw2f\n- Go SDK: GHSA-xw59-hvm2-8pj6\n- Java SDK: GHSA-8jxr-pr72-r468",
  "id": "GHSA-89vp-x53w-74fx",
  "modified": "2026-05-19T20:17:47Z",
  "published": "2026-05-06T21:55:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nubo-db/dynoxide/security/advisories/GHSA-fvh2-gm75-j4j7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42559"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/815"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/822"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/pull/764"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/modelcontextprotocol/rust-sdk"
    },
    {
      "type": "WEB",
      "url": "https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0140.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "rmcp Streamable HTTP server transport has a DNS rebinding vulnerability"
}

rustsec-2026-0140

Vulnerability from osv_rustsec

Published

2026-05-12 12:00

Modified

2026-05-19 05:50

Summary

DNS rebinding and cross-origin CSRF in dynoxide's MCP HTTP transport

Details

dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap.

A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host header, which the server would then process. The Host check alone did not close a related cross-origin CSRF vector: a page could fetch the loopback endpoint with mode: 'no-cors', and the Host header would match while the Origin header went unchecked.

Affected MCP write tools include put_item, update_item, delete_item, create_table, and batch_write_item.

The stdio transport (dynoxide mcp without --http) is not affected.

Patches

dynoxide 0.9.13 closes both vectors:

Upgrades rmcp from 1.1.1 to 1.6.0 (which ships a default Host-header allowlist).
Sets explicit allowed_hosts and allowed_origins on StreamableHttpServerConfig.

Severity

8.8 (High)


                    
                      CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

URL

Type

	https://crates.io/crates/dynoxide-rs	PACKAGE
	https://rustsec.org/advisories/RUSTSEC-2026-0140.html	ADVISORY
	https://github.com/nubo-db/dynoxide/security/advi…	ADVISORY
	https://github.com/nubo-db/dynoxide/releases/tag/…	WEB

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "dynoxide-rs",
        "purl": "pkg:cargo/dynoxide-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.3"
            },
            {
              "fixed": "0.9.13"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2026-42559",
    "GHSA-89vp-x53w-74fx",
    "GHSA-fvh2-gm75-j4j7"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "dynoxide\u0027s MCP HTTP transport was vulnerable to DNS rebinding via its transitive `rmcp` dependency, plus a related cross-origin CSRF gap.\n\nA malicious web page could make the user\u0027s browser send requests to a local `dynoxide mcp --http` or `dynoxide serve --mcp` server with a non-loopback `Host` header, which the server would then process. The Host check alone did not close a related cross-origin CSRF vector: a page could `fetch` the loopback endpoint with `mode: \u0027no-cors\u0027`, and the Host header would match while the Origin header went unchecked.\n\nAffected MCP write tools include `put_item`, `update_item`, `delete_item`, `create_table`, and `batch_write_item`.\n\nThe stdio transport (`dynoxide mcp` without `--http`) is not affected.\n\n## Patches\n\ndynoxide 0.9.13 closes both vectors:\n\n- Upgrades `rmcp` from 1.1.1 to 1.6.0 (which ships a default Host-header allowlist).\n- Sets explicit `allowed_hosts` and `allowed_origins` on `StreamableHttpServerConfig`.",
  "id": "RUSTSEC-2026-0140",
  "modified": "2026-05-19T05:50:44Z",
  "published": "2026-05-12T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/dynoxide-rs"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0140.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/nubo-db/dynoxide/security/advisories/GHSA-fvh2-gm75-j4j7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nubo-db/dynoxide/releases/tag/v0.9.13"
    }
  ],
  "related": [
    "GHSA-89vp-x53w-74fx"
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DNS rebinding and cross-origin CSRF in dynoxide\u0027s MCP HTTP transport"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42559 (GCVE-0-2026-42559)

FKIE_CVE-2026-42559

GHSA-89VP-X53W-74FX

Summary

Impact

Affected Versions

Patched Versions

Patch

Workarounds for Unpatched Users

Resources

Related advisories (same class of vulnerability)

rustsec-2026-0140

Vulnerability from osv_rustsec

Patches

Tags

Sightings

Nomenclature