Google MCP Toolbox CVE-2026-9739 — DNS Rebinding to Enterprise Databases

AI relevance: MCP Toolbox connects AI agents directly to production databases (Cloud SQL, AlloyDB, Spanner) — a DNS rebinding flaw on its SSE transport gives an attacker command-level database access through the agent's trust boundary.

• CVE-2026-9739 carries a CVSS 4.0 score of 9.4, rated Critical
• Root cause: a hardcoded Access-Control-Allow-Origin: * header was accidentally left in the SSE initialization handler during beta, silently overriding the allowed-origins and allowed-hosts flags added later to comply with MCP security guidelines
• Attack path: attacker sends a Chrome user to a malicious page that performs DNS rebinding, tricking the browser into treating the attacker's domain as the trusted local Toolbox endpoint, then opens an unauthorized SSE connection
• Impact spans confidentiality, integrity, and availability across the connected database — including arbitrary command execution against the database interface
• Classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains), network attack vector, no privileges required, user interaction only via browser visit
• Part of a broader pattern of DNS rebinding flaws across MCP implementations, alongside CVE-2026-34742 (Go MCP SDK) and CVE-2026-35568 (MCP Java SDK)
• No public PoC or confirmed wild exploitation yet, but the combination of critical severity, zero auth requirement, and direct database access demands immediate patching

Why it matters

Every new MCP server that agents depend on extends the attack surface of the agent ecosystem. A CORS misconfiguration on a database gateway means a compromised agent can be weaponized against enterprise data — the exact supply-chain escalation that MCP security guidelines were designed to prevent, but failed to catch in this case because a beta-era header survived into production.

What to do

• Update Google MCP Toolbox to the patched version (fix in PR #3054)
• Disable SSE transport if not operationally required
• Audit all MCP-connected AI agent pipelines for exposed Toolbox instances, especially in cloud-hosted environments
• Enforce strict CORS headers and add DNS rebinding protections via firewall rules or DNS filtering

Sources:

• NVD — CVE-2026-9739
• GitHub Issue #3053
• CyberPress coverage