CVE-2026-9739

UNKNOWN 0.0

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

5th

Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.

CWE	CWE-942
Vendor	google
Product	mcp toolbox for databases
Ecosystems	Android Cloud Chrome
Industries	Technology
Published	May 27, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for google mcp toolbox for databases

Be the first to know when new unknown vulnerabilities affecting google mcp toolbox for databases are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Google / MCP Toolbox for Databases

0 < PR 3054 (Fix CORS bypass)

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/googleapis/mcp-toolbox/issues/3053 github.com: https://github.com/googleapis/mcp-toolbox/pull/3054