Toolbox · Toolbox · CVE-2026-9739
**Name of the Vulnerable Software and Affected Versions**
Toolbox (affected versions not specified)
**Description**
The software is susceptible to DNS rebinding attacks when using Server-Sent Events (SSE) under specification v2024-11-05. This occurs because the SSE initialization handler retains a hardcoded `Access-Control-Allow-Origin: *` header, which bypasses the security provided by the `allowed-origins` and `allowed-hosts` flags implemented to align with Model Context Protocol (MCP) security guidelines.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.