CVE-2026-11624
CriticalCVSS 9.4Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
The Model Context Protocol has a security warning advising servers to validate the 'Origin' header on all incoming connections to prevent DNS rebinding attacks. In version 0.25.0, a new '--allowed-hosts' flag was introduced, allowing users to specify permitted hosts at server startup.
Risk Assessment
Lack of validation for the 'Origin' header may lead to DNS rebinding attacks, posing a risk of unauthorized access to server resources. Users should be aware of potential security vulnerabilities, especially when using default settings.
Recommendation
It is recommended that server administrators update their configurations by setting appropriate values for the '--allowed-hosts' and '--allowed-origins' flags to implement strict access controls. Additionally, monitor startup warnings regarding potential vulnerabilities.
Original NVD description (English source)
The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations.

