CVE Catalog

CVE-2026-11624

CriticalCVSS 9.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile — higher than 13% of all known CVEs

Summary

The Model Context Protocol has a security warning advising servers to validate the 'Origin' header on all incoming connections to prevent DNS rebinding attacks. In version 0.25.0, a new '--allowed-hosts' flag was introduced, allowing users to specify permitted hosts at server startup.

Risk Assessment

Lack of validation for the 'Origin' header may lead to DNS rebinding attacks, posing a risk of unauthorized access to server resources. Users should be aware of potential security vulnerabilities, especially when using default settings.

Recommendation

It is recommended that server administrators update their configurations by setting appropriate values for the '--allowed-hosts' and '--allowed-origins' flags to implement strict access controls. Additionally, monitor startup warnings regarding potential vulnerabilities.

Original NVD description (English source)

The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS