CVE-2026-34237

Published: Mar 31, 2026 Last Modified: Mar 31, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,1
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: changed
Confidentiality: low
Integrity: low
Availability: none

Description

AI Translation Available

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 1.0.1 and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 1.0.1 and 1.1.1.

942

Permissive Cross-domain Security Policy with Untrusted Domains

Incomplete
Abstraction: Variant Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Availability Access Control
Potential Impacts:
Execute Unauthorized Code Or Commands Bypass Protection Mechanism Read Application Data Varies By Context
Applicable Platforms
Technologies: Web Based, Web Server
View CWE Details
https://github.com/modelcontextprotocol/java-sdk/blob/main/…
https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/ja…
https://github.com/modelcontextprotocol/java-sdk/blob/main/…
https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/ja…
https://github.com/modelcontextprotocol/java-sdk/security/a…
https://github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-…