CVE-2026-9739

Name of the Vulnerable Software and Affected Versions Toolbox (affected versions not specified)

Description The software is susceptible to DNS rebinding attacks when using Server-Sent Events (SSE) under specification v2024-11-05. This occurs because the SSE initialization handler retains a hardcoded Access-Control-Allow-Origin: * header, which bypasses the security provided by the allowed-origins and allowed-hosts flags implemented to align with Model Context Protocol (MCP) security guidelines.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.