CVE-2026-34237

MEDIUM

MCP Java SDK HTTP Transports - Wildcard CORS

Title source: manual

Description

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 0.83.0, 1.0.1, and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 0.83.0, 1.0.1, and 1.1.1.

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-8mjj-jw22

X_Refsource_Misc x_refsource_misc

https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525

View Writeup ZIP pw:eip

Scores

CVSS v3 6.1

EPSS 0.0022

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-942

Status published

Products (10)

io.modelcontextprotocol.sdk/mcp-core 0 - 0.18.3Maven

io.modelcontextprotocol.sdk/mcp-core 1.0.0 - 1.0.1Maven

io.modelcontextprotocol.sdk/mcp-core 1.1.0 - 1.1.1Maven

lfprojects/mcp_java_sdk 1.1.0

lfprojects/mcp_java_sdk < 1.0.1

modelcontextprotocol/java-sdk < 0.18.3

modelcontextprotocol/java-sdk < 1.0.1

modelcontextprotocol/java-sdk < 1.1.1

modelcontextprotocol/java-sdk >= 1.0.0, < 1.0.1

modelcontextprotocol/java-sdk >= 1.1.0, < 1.1.1

Published Mar 31, 2026

Tracked Since Mar 31, 2026