CVE-2026-34237

MEDIUM

MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)

Title source: cna

Description

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 1.0.1 and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 1.0.1 and 1.1.1.

References (3)

[X_Refsource_Confirm] https://github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-8mjj-jw22

[X_Refsource_Misc] https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289

[X_Refsource_Misc] https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525

View Writeup ZIP pw:eip

Scores

CVSS v3 6.1

EPSS 0.0003

EPSS Percentile 10.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-942

Status published

Products (5)

io.modelcontextprotocol.sdk/mcp-core 0 - 1.0.1Maven

lfprojects/mcp_java_sdk 1.1.0

lfprojects/mcp_java_sdk < 1.0.1

modelcontextprotocol/java-sdk < 1.0.1

modelcontextprotocol/java-sdk < 1.1.1

Published Mar 31, 2026

Tracked Since Mar 31, 2026