CORS Vulnerability in MCP Java SDK Affects Model Context Protocol Servers
CVE-2026-34237

6.1MEDIUM

Key Information:

Vendor

Modelcontextprotocol

Status
Java-sdk
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34237?

The MCP Java SDK, utilized for Model Context Protocol servers and clients, has a significant vulnerability due to hardcoded wildcard CORS settings. This flaw can allow unauthorized cross-origin requests, potentially leading to security breaches. Users are advised to upgrade to versions 1.0.1 or 1.1.1 to mitigate this risk and ensure secure communication between clients and servers. The patches implemented in these versions effectively address the vulnerability, reinforcing the overall security posture of applications utilizing this SDK.

Affected Version(s)

java-sdk < 1.0.1 < 1.0.1

java-sdk < 1.1.1 < 1.1.1

References

https://github.com/modelcontextprotocol/java-sdk/security...
x_refsource_CONFIRM
https://github.com/modelcontextprotocol/java-sdk/blob/mai...
x_refsource_MISC
https://github.com/modelcontextprotocol/java-sdk/blob/mai...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.