DNS Rebinding Vulnerability in Go MCP SDK by Model Context Protocol
CVE-2026-34742

7.6HIGH

Key Information:

Vendor

Modelcontextprotocol

Status
Go-sdk
Vendor
CVE Published:
2 April 2026

What is CVE-2026-34742?

The Go MCP SDK, utilized in HTTP-based server applications, did not implement DNS rebinding protection by default prior to version 1.4.0. This oversight allowed attackers to exploit the vulnerability when the server was running on localhost without proper authentication. By leveraging DNS rebinding exploits, malicious websites could circumvent same-origin policy restrictions and issue unauthorized requests to the local MCP server. Consequently, this gap could enable attackers to access and manipulate resources exposed by the MCP server on behalf of authenticated users. Users are urged to upgrade to version 1.4.0 or later to mitigate this risk.

Affected Version(s)

go-sdk < 1.4.0

References

https://github.com/modelcontextprotocol/go-sdk/security/a...
x_refsource_CONFIRM
https://github.com/modelcontextprotocol/go-sdk/pull/760
x_refsource_MISC
https://github.com/modelcontextprotocol/go-sdk/commit/67b...
x_refsource_MISC

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.