CVE Catalog

CVE-2026-11718

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

An authentication bypass vulnerability exists in the opaque token validation path of googleapis/mcp-toolbox. This flaw allows the acceptance of tokens issued by unauthorized identity providers when the external OAuth provider's response omits the 'iss' field.

Risk Assessment

The organization may be exposed to unauthorized access to resources, potentially leading to data breaches or other serious security incidents.

Recommendation

It is recommended to update the googleapis/mcp-toolbox library and implement additional token validation checks to ensure that only tokens from trusted providers are accepted.

Original NVD description (English source)

An authentication bypass vulnerability exists in the generic opaque token validation path (validateOpaqueToken) of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, the subsequent claim-checking logic (validateClaims) evaluates the issuer condition as if a.issuer != "" && iss != "". If the external OAuth provider's introspection response omits the optional iss (issuer) field completely, the variable iss defaults to an empty string. This causes the conditional block to evaluate to false and be skipped silently. Consequently, the application accepts tokens issued by unauthorized or unintended third-party identity providers.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS