CVE-2026-42559

Name of the Vulnerable Software and Affected Versions rmcp versions prior to 1.4.0 dynoxide versions prior to 0.9.13

Description The Streamable HTTP server transport in the rmcp crate fails to validate the incoming Host header. This allows a malicious public website to use a DNS rebinding attack—a technique where a domain name is redirected to a different IP address after the initial DNS resolution—to send authenticated requests to an MCP server on a victim's loopback or private-network interface. An attacker can enumerate and invoke tools, read resources, and trigger side effects such as file writes or shell execution. In dynoxide, this issue also enables a cross-origin CSRF (Cross-Site Request Forgery) gap, where a page can send requests to a local server using fetch with mode: 'no-cors', bypassing the Host check because the Origin header remains unchecked. Affected write tools in dynoxide include put item(), update item(), delete item(), create table(), and batch write item().

Recommendations Update rmcp to version 1.4.0 or later. Update dynoxide to version 0.9.13 or later. As a temporary workaround for rmcp, place the MCP server behind a reverse proxy configured to reject requests with unexpected Host headers and avoid binding the server to 0.0.0.0 without such a proxy.