PT-2026-29161 · Maven · Io.Modelcontextprotocol.Sdk:Mcp-Core
Published
2026-03-30
·
Updated
2026-03-30
·
CVE-2026-34237
CVSS v3.1
6.1
Medium
| AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Summary
Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * )
- https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289
- https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525
Attack Scenario
An attacker-controlled web page instructs the victim's browser to open GET https://internal-mcp-server/sse. Because Access-Control-Allow-Origin: * allows cross-origin SSE reads, the attacker's page receives the endpoint event — which contains the session ID. The attacker can then POST to that endpoint from their page using the victim's browser as a relay.
Comparison with python-sdk
No Access-Control-Allow-Origin header is emitted by either Python transport. The browser's default same-origin policy remains in full effect.
https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/sse.py
https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable http.py
Recommendation
In the SDK, the transport layer should not own CORS policy. Server implementors who need cross-origin access can add a CORS filter at the servlet filter or Spring Security layer.
Resources
- https://cheatsheetseries.owasp.org/cheatsheets/HTTP Headers Cheat Sheet.html#access-control-allow-origin
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Io.Modelcontextprotocol.Sdk:Mcp-Core