Lucene search
K

7 matches found

NVD
NVD
added 2026/06/29 6:16 p.m.7 views

CVE-2026-11720

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the...

9.3CVSS0.00374EPSS
Exploits0References1
CVE
CVE
added 2026/06/29 5:51 p.m.18 views

CVE-2026-11720

The CVE-2026-11720 entry describes a path traversal flaw in the HTTP tool URL builder of googleapis/mcp-toolbox. User-controlled pathParams are substituted into a configured tool path and then parsed as a relative URL; while scheme/host/user info are checked, final resolution uses ResolveReferenc...

9.3CVSS5.8AI score0.00374EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/06/18 3:32 p.m.5 views

GHSA-5GF6-GC35-XJPC MCP Toolbox for Databases: authenticated authorization bypass

An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol...

8.6CVSS5.9AI score0.0015EPSS
Exploits0References4
NVD
NVD
added 2026/06/18 2:17 p.m.12 views

CVE-2026-11718

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...

9.3CVSS0.00204EPSS
Exploits0References1
NVD
NVD
added 2026/06/18 2:17 p.m.15 views

CVE-2026-11717

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint RFC 7662, the toolbox decodes the response into an introspectResp struct where t...

9.3CVSS0.00195EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/18 11:50 a.m.10 views

EUVD-2026-37879

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint RFC 7662, the toolbox decodes the response into an introspectResp struct where t...

9.3CVSS5.4AI score0.00195EPSS
Exploits0References1
CVE
CVE
added 2026/06/18 11:50 a.m.46 views

CVE-2026-11717

CVE-2026-11717 details an authentication bypass in googleapis/mcp-toolbox, specifically in the validateOpaqueToken path. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp with Active as a *bool. The ...

9.3CVSS5.4AI score0.00195EPSS
Exploits0References1
Rows per page
Query Builder