ModelContextProtocol — Java SDK DNS rebinding vulnerability allows MCP server takeover (CVE-2026-35568)

AI relevance: MCP Java SDK enables Java applications to securely interface with AI agents through Model Context Protocol, but DNS rebinding vulnerabilities allow attackers to bypass security controls and execute unauthorized tool calls as if they were local AI agents.

CVE-2026-35568 discloses a critical DNS rebinding vulnerability in the Model Context Protocol Java SDK that allows attackers to bypass origin validation checks and gain unauthorized access to local MCP servers, with a CVSS 4.0 base score of 7.6.

What happened

• CVE-2026-35568: Origin validation error (CWE-346) in MCP Java SDK
• CVSS 7.6: High severity (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)
• Impact: Unauthorized tool call execution on MCP servers
• Affected: MCP Java SDK versions prior to 1.0.0
• Fixed: Version 1.0.0 released with DNS rebinding protection

Technical details

• DNS rebinding attack: Manipulates DNS responses to bypass origin checks
• Origin validation flaw: Inadequate validation of HTTP Origin headers
• Local server access: Targets locally or network-private MCP servers
• Tool call execution: Attacker can invoke any MCP tool call remotely
• Privilege escalation: Operates with local MCP agent privileges

Why this matters

• AI agent security: MCP servers bridge AI models to external tools and APIs
• Enterprise risk: Corporate AI infrastructure vulnerable to remote takeover
• Supply chain implications: Java SDK used by Spring AI and enterprise applications
• Protocol maturity: Highlights security gaps in emerging AI standardization efforts
• Detection challenges: Legitimate-looking requests from compromised browsers

Broader implications

• AI infrastructure trust: Undermines security of AI agent tool interactions
• Java ecosystem impact: Affects Spring AI integrations and Java-based MCP deployments
• Standardization urgency: Emphasizes need for robust security in AI protocol standards
• Browser security relevance: DNS rebinding remains persistent web security challenge
• Zero-trust necessity: Reinforces need for comprehensive authentication in AI infrastructure

What to do

• Update immediately: Upgrade to MCP Java SDK version 1.0.0 or later
• Network segmentation: Restrict MCP server network exposure to minimal necessary
• Origin validation: Implement strict HTTP Origin header validation in custom MCP servers
• Access monitoring: Deploy detailed logging of all MCP tool call interactions
• Security assessment: Conduct penetration testing of AI infrastructure components
• Browser hardening: Consider DNS rebinding protection mechanisms in client environments

Sources

• OffSeq Threat Radar — CVE-2026-35568 MCP Java SDK DNS Rebinding
• GitHub — MCP Java SDK 1.0.0 Release Notes
• Model Context Protocol — Security Documentation
• MITRE — CVE-2026-35568 Official Record
• Spring AI — MCP Security Documentation

This vulnerability demonstrates the critical importance of robust origin validation in AI infrastructure components that enable large language models to interact securely with external systems and enterprise tools.