CVE-2026-9739 Google CVE debrief

Who should care

Organizations deploying MCP Toolbox with SSE transport under specification v2024-11-05; security teams managing CORS policies for real-time streaming endpoints; developers implementing MCP-based services with cross-origin requirements

Technical summary

The MCP Toolbox SSE implementation contains a DNS rebinding vulnerability caused by a hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler. While beta-phase security improvements introduced `allowed-origins` and `allowed-hosts` configuration flags to align with MCP security guidelines, the permissive CORS header was not removed. This allows malicious websites to bypass same-origin policy protections through DNS rebinding attacks, potentially enabling unauthorized access to SSE streams. The vulnerability is specific to Toolbox connections using SSE under MCP specification v2024-11-05. The CVSS 4.0 score of 9.4 reflects the critical nature of this cross-origin policy weakness in a network-accessible service.

Defensive priority

CRITICAL

Recommended defensive actions

• Review MCP Toolbox SSE deployment configurations for specification v2024-11-05 usage
• Verify `allowed-origins` and `allowed-hosts` flags are properly configured and enforced
• Apply security patches from referenced pull request when available
• Implement network segmentation to restrict DNS rebinding attack surface for SSE endpoints
• Monitor for anomalous cross-origin requests to Toolbox SSE services
• Conduct security review of CORS policy implementations in MCP-based services

Evidence notes

Official CVE record published 2026-05-27. Source references include GitHub issue and pull request from googleapis/mcp-toolbox repository. CVSS 4.0 vector confirms critical severity with network-exploitable conditions and high impact across all security dimensions.

Official resources