CVE-2026-34237 is a vulnerability identified in the modelcontextprotocol Java SDK, specifically in versions prior to 1.0.1 and 1.1.1. The root cause is a hardcoded wildcard in the Cross-Origin Resource Sharing (CORS) policy, which is a security feature that controls how resources on a web server can be requested from another domain. The vulnerability corresponds to CWE-942, which describes permissive cross-domain policies that allow untrusted domains to access resources. In this case, the SDK's CORS implementation indiscriminately permits any origin, effectively disabling the same-origin policy protections. This can allow malicious web pages from untrusted domains to perform cross-origin requests to the vulnerable SDK endpoints, potentially leading to unauthorized data disclosure or manipulation. The CVSS v3.1 base score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction and having a scope change. The impact affects confidentiality and integrity but not availability. The vulnerability has been addressed in versions 1.0.1 and 1.1.1 of the SDK, where the CORS policy is presumably tightened to restrict allowed origins. No public exploits have been reported, but the presence of a hardcoded wildcard CORS policy represents a significant risk in web application security contexts, especially for applications relying on this SDK for cross-domain communications.

The vulnerability can lead to unauthorized cross-origin requests from malicious websites, potentially exposing sensitive information or allowing attackers to perform unauthorized actions within the context of the vulnerable SDK. This compromises confidentiality and integrity of data handled by applications using the affected SDK versions. While availability is not impacted, the breach of confidentiality and integrity can have serious consequences, such as data leaks, session hijacking, or unauthorized command execution within the application context. Organizations relying on the modelcontextprotocol Java SDK in web applications or services that handle sensitive or regulated data are at risk. The ease of exploitation is relatively high due to the network attack vector and lack of required privileges, although user interaction is necessary. This vulnerability could be leveraged in targeted phishing or social engineering attacks to trick users into visiting malicious sites that exploit the permissive CORS policy. The scope is broad as it affects all deployments using the vulnerable SDK versions, potentially impacting a wide range of industries and sectors worldwide.

The primary mitigation is to upgrade the modelcontextprotocol Java SDK to version 1.0.1 or 1.1.1 or later, where the vulnerability has been patched. Organizations should audit their current SDK versions and prioritize patching in development, staging, and production environments. Additionally, review and enforce strict CORS policies on all web-facing services, explicitly specifying trusted domains rather than using wildcards. Implement Content Security Policy (CSP) headers to restrict resource loading and reduce the risk of cross-origin attacks. Conduct security testing to verify that no other components or custom configurations introduce similar permissive CORS settings. Educate developers and security teams about the risks of overly permissive CORS configurations and incorporate secure coding practices for cross-domain communications. Monitor network traffic for unusual cross-origin requests that could indicate exploitation attempts. Finally, consider implementing web application firewalls (WAFs) with rules to detect and block suspicious CORS-related activities.