Vulnerability in RMCP Rust SDK Allows DNS Rebinding Attacks on MCP Servers
CVE-2026-42559

8.8HIGH

Key Information:

Vendor

Modelcontextprotocol

Status
Rust-sdk
Vendor
CVE Published:
14 May 2026

What is CVE-2026-42559?

A vulnerability exists in the RMCP Rust SDK that allows for improper validation of the incoming Host header in its Streamable HTTP server transport. This flaw can be exploited through a DNS rebinding attack, enabling a malicious public website to send authenticated requests to an MCP server running on a victim's private network interface. This vulnerability has been addressed in version 1.4.0 of the SDK, reinforcing the need for proper host validation to prevent such exploits.

Affected Version(s)

rust-sdk < 1.4.0

References

https://github.com/modelcontextprotocol/rust-sdk/security...
x_refsource_CONFIRM
https://github.com/modelcontextprotocol/rust-sdk/issues/815
x_refsource_MISC
https://github.com/modelcontextprotocol/rust-sdk/issues/822
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.