Home

Description

An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler).

PUBLISHED Reserved 2026-06-09 | Published 2026-06-18 | Updated 2026-06-18 | Assigner Google




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862: Missing Authorization

Product status

Default status
unaffected

1.3.0
affected

Credits

HE WEI(ギカク)(https://www.linkedin.com/in/gikaku/) finder

References

github.com/googleapis/mcp-toolbox/pull/3335

github.com/googleapis/mcp-toolbox/pull/3049

cve.org (CVE-2026-11719)

nvd.nist.gov (CVE-2026-11719)

Download JSON