Critical severityNVD Advisory· Published May 27, 2026· Updated May 29, 2026
CVE-2026-9739
CVE-2026-9739
Description
Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: * header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
Vulnerability mechanics
References
2News mentions
2- ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and MoreThe Hacker News · Jun 8, 2026
- Critical MCP Toolbox Vulnerability Impacts Enterprise Database onnectorsCyber Security News · Jun 1, 2026