Go MCP SDK v<1.4.0 DNS Rebinding (HTTP/SSE) Vulnerability
CVE-2026-34742 Published on April 2, 2026

Model Context Protocol Go SDK: DNS Rebinding Protection Disabled by Default for Servers Running on Localhost
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPHandler or SSEHandler, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. This issue has been patched in version 1.4.0.

NVD

Vulnerability Analysis

CVE-2026-34742 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

Insecure Default Initialization of Resource

The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.


Products Associated with CVE-2026-34742

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 

Affected Versions

modelcontextprotocol go-sdk: Red Hat OpenShift Dev Spaces 3.28: Red Hat Migration Toolkit for Virtualization: Red Hat Migration Toolkit for Virtualization: Red Hat Migration Toolkit for Virtualization: Red Hat Migration Toolkit for Virtualization: Red Hat Migration Toolkit for Virtualization: Red Hat OpenShift Lightspeed: Red Hat OpenShift Serverless: Red Hat OpenShift Serverless: Red Hat OpenShift AI (RHOAI):

Exploit Probability

EPSS
0.42%
Percentile
33.45%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.