High severity8.8GHSA Advisory· Published May 14, 2026· Updated May 14, 2026
CVE-2026-42559
CVE-2026-42559
Description
RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rmcpcrates.io | < 1.4.0 | 1.4.0 |
Affected products
5- Range: < 1.4.0
- osv-coords4 versions
< 0.112.2-r3+ 3 more
- (no CPE)range: < 0.112.2-r3
- (no CPE)range: < 1.2.6-r1
- (no CPE)range: < 0.112.2-r3
- (no CPE)range: < 1.2.6-r1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-89vp-x53w-74fxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42559ghsaADVISORY
- github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3nvdWEB
- github.com/modelcontextprotocol/rust-sdk/issues/815nvdWEB
- github.com/modelcontextprotocol/rust-sdk/issues/822nvdWEB
- github.com/modelcontextprotocol/rust-sdk/pull/764nvdWEB
- github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fxnvdWEB
- github.com/nubo-db/dynoxide/security/advisories/GHSA-fvh2-gm75-j4j7ghsaWEB
- modelcontextprotocol.io/specification/2025-06-18/basic/transportsghsaWEB
- rustsec.org/advisories/RUSTSEC-2026-0140.htmlghsaWEB
News mentions
0No linked articles in our index yet.