CVE-2026-34742 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 3, 2026
Go MCP SDK - DNS Rebinding
Published: April 2, 2026Updated: April 3, 2026Remote Exploitable
Overview
Go MCP SDK < 1.4.0 contains a DNS rebinding vulnerability caused by lack of DNS rebinding protection in HTTP-based servers, letting attackers bypass same-origin policy to send requests to local MCP server, exploit requires running server on localhost without authentication.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Attackers can bypass same-origin policy to send requests to local MCP server, potentially invoking tools or accessing resources on behalf of the user.
Mitigation
Update to version 1.4.0 or later.
References
- https://github.com/modelcontextprotocol/go-sdk/commit/67bd3f2e2b53ce11a16db8d976cdb8ff1e986b6d
- https://github.com/modelcontextprotocol/go-sdk/pull/760
- https://github.com/modelcontextprotocol/go-sdk/releases/tag/v1.4.0
- https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-xw59-hvm2-8pj6
Related Resources
Details
- CVE ID
- CVE-2026-34742
- Severity
- High
- CVSS Score
- 8.1
- Type
- dns_rebinding
- Status
- confirmed
CWE
- CWE-1188
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N