CVE-2026-11624: CWE-346: Origin Validation Error in Google MCP Toolbox for Databases
The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations.
AI Analysis
Technical Summary
The vulnerability involves the Model Context Protocol's lack of origin host validation prior to MCP Toolbox for Databases v0.25.0, allowing potential DNS rebinding attacks. The introduction of the "--allowed-hosts" flag in v0.25.0 allows users to specify permitted hosts at server startup, complementing the "--allowed-origins" flag. Both flags default to "*", maintaining backward compatibility but warning users about security risks. Documentation updates emphasize these security considerations. No official remediation level or patch is indicated in the advisory, and no affected versions are explicitly stated.
Potential Impact
The vulnerability can allow attackers to bypass origin validation, potentially enabling DNS rebinding attacks that compromise server security. The CVSS 4.0 score of 9.4 indicates a critical severity with high impact on confidentiality, integrity, and availability. However, no known exploits are reported in the wild. The lack of strict origin validation prior to v0.25.0 means deployments using default configurations may be vulnerable.
Mitigation Recommendations
Users should upgrade to MCP Toolbox for Databases version 0.25.0 or later and configure the "--allowed-hosts" and "--allowed-origins" flags to specify permitted hosts and origins explicitly rather than using the default "*" wildcard. The server outputs a startup warning if either flag is set to "*", prompting administrators to tighten access controls. No official patch or remediation level is provided, so following the configuration guidance and upgrading to the version with these flags is the recommended mitigation.
CVE-2026-11624: CWE-346: Origin Validation Error in Google MCP Toolbox for Databases
Description
The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations.
CVSS v4.0
Score 9.4critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability involves the Model Context Protocol's lack of origin host validation prior to MCP Toolbox for Databases v0.25.0, allowing potential DNS rebinding attacks. The introduction of the "--allowed-hosts" flag in v0.25.0 allows users to specify permitted hosts at server startup, complementing the "--allowed-origins" flag. Both flags default to "*", maintaining backward compatibility but warning users about security risks. Documentation updates emphasize these security considerations. No official remediation level or patch is indicated in the advisory, and no affected versions are explicitly stated.
Potential Impact
The vulnerability can allow attackers to bypass origin validation, potentially enabling DNS rebinding attacks that compromise server security. The CVSS 4.0 score of 9.4 indicates a critical severity with high impact on confidentiality, integrity, and availability. However, no known exploits are reported in the wild. The lack of strict origin validation prior to v0.25.0 means deployments using default configurations may be vulnerable.
Mitigation Recommendations
Users should upgrade to MCP Toolbox for Databases version 0.25.0 or later and configure the "--allowed-hosts" and "--allowed-origins" flags to specify permitted hosts and origins explicitly rather than using the default "*" wildcard. The server outputs a startup warning if either flag is set to "*", prompting administrators to tighten access controls. No official patch or remediation level is provided, so following the configuration guidance and upgrading to the version with these flags is the recommended mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Date Reserved
- 2026-06-08T20:57:51.543Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2d21c9e617e2d834ac3302
Added to database: 6/13/2026, 9:24:25 AM
Last enriched: 6/13/2026, 9:39:19 AM
Last updated: 6/13/2026, 11:36:36 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.