CVE-2026-11717

An attacker can craft an opaque token and submit it to a Toolbox instance configured with a generic OAuth 2.0 introspection endpoint. If the introspection server responds with a JSON payload that omits the `active` field (or returns a response where `active` is absent), the nil pointer check in `validateOpaqueToken` passes without rejecting the token. This allows the attacker to bypass authentication and gain access to protected MCP tools and underlying data sources. The attack requires network access to the Toolbox server and knowledge of a valid introspection endpoint that can be induced to return an incomplete response.

The vulnerability resides in the `validateOpaqueToken` function within the generic OAuth token validation path (`internal/auth/generic/`). The `introspectResp` struct declares the `Active` field as a pointer to a boolean (`*bool`), and the code only rejects a token when `introspectResp.Active != nil && !*introspectResp.Active`. If the introspection endpoint omits the mandatory `active` key, the pointer remains `nil`, the condition short-circuits, and the token is accepted. The patch [patch_id=6466784] adds an explicit check for a missing `active` field and enforces `iss` (issuer) validation.

The patch [patch_id=6466784] adds a new test case `missing active claim` that expects an error when the introspection response lacks the `active` field. The corresponding production code change (not fully shown in the diff but implied by the test) ensures that `validateOpaqueToken` returns a `token is not active` error when the `active` field is missing or nil, rather than silently accepting the token. Additionally, the patch enforces `iss` (issuer) validation for generic OAuth tokens and separates Google-specific token validation into its own code path, preventing the same nil-pointer bypass from affecting Google token validation.