A critical security vulnerability tracked as CVE-2026-9739 has been disclosed in Google’s MCP Toolbox for Databases, a widely used open-source connector that links AI agents and applications to enterprise database infrastructure.
The flaw, rated 9.4 CRITICAL on the CVSS 4.0 scale, exposes organizations to DNS rebinding attacks through a hardcoded, permissive cross-origin header that completely overrides configured access controls, silently defeating security policies that administrators believed were protecting their systems.
The vulnerability stems from a subtle yet dangerous development oversight in the Server-Sent Events (SSE) initialization handler of MCP Toolbox.
During the tool’s beta phase, Google’s development team implemented allowed-origins and allowed-hosts configuration flags specifically to comply with the Model Context Protocol (MCP) security specification guidelines.
However, a hardcoded Access-Control-Allow-Origin: * wildcard header was inadvertently left in place within the SSE handler source code.
This retained wildcard header overrides the entire Cross-Origin Resource Sharing (CORS) middleware stack, meaning that even correctly configured allowed-origins flags are rendered completely ineffective at the SSE endpoint.
Attackers exploiting this flaw can perform DNS rebinding attacks, a technique in which a malicious domain first resolves to an attacker-controlled server, then re-resolves to the victim’s localhost or an internal network IP, effectively bypassing the browser’s same-origin policy.
DNS rebinding attacks exploit the trust browsers place in DNS resolution. When a user visits a malicious website, the attacker’s domain initially resolves normally. Within seconds, the attacker changes the DNS TTL to redirect the domain to 127.0.0.1 or an internal network address. Because the browser now sees the malicious origin as “the same origin” as the local MCP Toolbox server, it freely makes cross-origin requests that the policy flags should have blocked.
The presence of the hardcoded Access-Control-Allow-Origin: * header in the SSE handler accelerates and amplifies this attack.
Because the wildcard header is sent during SSE initialization, any domain, malicious or otherwise, is implicitly trusted from the very first connection handshake.
This means the attacker does not even need to complete a full DNS rebinding cycle; any external origin can issue authenticated requests directly to the Toolbox SSE endpoint.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2026-9739 |
| Published | May 27–28, 2026 |
| CVSS 4.0 Score | 9.4 CRITICAL |
| CVSS 3.0 Score | 9.8 CRITICAL |
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | None (PR:N) |
| User Interaction | Active (UI:A) |
| Confidentiality Impact | High (VC:H) |
| Integrity Impact | High (VI:H) |
| Availability Impact | High (VA:H) |
| CWE Classification | CWE-942 – Permissive Cross-domain Policy |
| Affected Specification | MCP SSE v2024-11-05 |
The real-world impact of CVE-2026-9739 extends well beyond CORS misconfiguration. Because MCP Toolbox directly bridges AI agents to enterprise databases including PostgreSQL, BigQuery, and other critical data stores — an attacker who successfully exploits this vulnerability can:
- Execute arbitrary MCP tools on behalf of authenticated users without their knowledge or consent
- Hijack active sessions by using the exploited Toolbox instance as an open proxy to route attacker-controlled commands
- Silently exfiltrate sensitive data from connected enterprise databases through the hijacked SSE channel
- Bypass enterprise-grade access controls such as VPC rules and network-layer firewalls that protect internal toolbox deployments
Particularly alarming is that this attack requires no elevated privileges and has low attack complexity according to its CVSS vector, meaning even moderately skilled threat actors can weaponize it.
The vulnerability specifically affects users connecting via Toolbox over the SSE transport under the MCP specification v2024-11-05.
CVE-2026-9739 is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains), a weakness that describes software using a cross-domain access policy that implicitly trusts domains it should not.
In practical terms, when Access-Control-Allow-Origin: * is set, any website on the internet including adversary-controlled infrastructure can send credentialed requests to the affected server and read the responses.
This mirrors the impact of Cross-Site Scripting (CWE-79) in severity, enabling injection of malicious content, theft of session tokens, and unauthorized server-side operations against real authenticated users.
Mitigation
Google has acknowledged the vulnerability through GitHub issue #3053 and proposed a fix via pull request #3054. The remediation involves removing the hard-coded Access-Control-Allow-Origin: * line from the SSE initialization handler.
Allowing the global CORS middleware to enforce the correctly allowed-origins and allowed-hosts flags set by administrators.
Until a fully patched release is confirmed, security teams should take the following immediate steps:
- Disable or avoid SSE connections under MCP specification v2024-11-05 where possible
- Implement network-level controls (e.g., firewall rules, VPC policies) to restrict which domains can reach Toolbox SSE endpoints
- Monitor SSE traffic logs for anomalous cross-origin requests from untrusted or unexpected domains
- Patch immediately once Google releases an official fixed version, and verify the hardcoded header has been removed from the deployed build.
As of publication, no active exploits in the wild have been confirmed, but the low attack complexity and critical CVSS score make this a high-priority patching target.
FAQ
Q1. What is CVE-2026-9739?
CVE-2026-9739 is a critical (CVSS 9.4) DNS rebinding vulnerability in Google MCP Toolbox for Databases caused by a hardcoded Access-Control-Allow-Origin: * header in the SSE handler that bypasses all configured CORS restrictions.
Q2. Who is affected by CVE-2026-9739?
Organizations and developers using Google MCP Toolbox for Databases with SSE transport under the v2024-11-05 MCP specification are directly affected, particularly those connected to enterprise databases such as PostgreSQL or BigQuery.
Q3. Is there an active exploit available for CVE-2026-9739?
As of late May 2026, no public exploit code or confirmed in-the-wild exploitation has been reported, though the low attack complexity significantly elevates the risk of rapid weaponization.
Q4. How do I fix the CVE-2026-9739 vulnerability?
Remove the hardcoded Access-Control-Allow-Origin: * header from the SSE initialization handler so global CORS middleware correctly enforces allowed-origins and allowed-hosts flags, and monitor Google’s official GitHub repository for the patched release.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
