Critical MCP Toolbox Vulnerability Exposes Enterprise Database Connectors to DNS Rebinding Attacks
7 min. read 
Published on
A critical vulnerability in MCP Toolbox for Databases could let malicious websites interact with internal database tools through a victim’s browser. The flaw is tracked as CVE-2026-9739 and affects users connecting to Toolbox through Server-Sent Events under the MCP v2024-11-05 specification.
The issue stems from a hardcoded wildcard CORS header in the SSE handler. In vulnerable builds, the endpoint returned Access-Control-Allow-Origin: *, which allowed browser-based requests from any website instead of limiting access to trusted origins.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The public GitHub issue says the hardcoded header bypassed the global CORS policy in MCP Toolbox and made the allowed-origins flag ineffective for the SSE endpoint. That created a path for session hijacking and unauthorized tool use.
What CVE-2026-9739 means for MCP Toolbox users
MCP Toolbox for Databases, previously known as Gen AI Toolbox for Databases, is an open source MCP server that connects AI agents, IDEs, and applications to enterprise databases. The project’s official repository describes it as a tool for connecting agents to databases and exposing database operations through MCP-compatible tools.
That role makes the vulnerability important for enterprise users. If Toolbox has access to PostgreSQL, BigQuery, Cloud SQL, AlloyDB, Spanner, MySQL, or other configured data sources, an attacker who can reach the MCP server through the victim’s browser may be able to trigger exposed tools.
The flaw is not a traditional database engine bug. It sits in the transport layer around how the MCP server handles browser-originated SSE traffic. In practice, that means the security boundary around internal database tools can weaken if administrators expose the vulnerable SSE endpoint or run Toolbox with unsafe host and origin settings.
Key details at a glance
| Item | Details |
|---|---|
| CVE | CVE-2026-9739 |
| Product | MCP Toolbox for Databases |
| Affected area | SSE initialization handler for MCP v2024-11-05 connections |
| Weakness | Permissive cross-domain policy with untrusted domains |
| CNA score | CVSS 4.0 score of 9.4, Critical |
| Fix status | Hardcoded wildcard origin removed in PR #3054 and included in version 1.2.0 |
The NVD entry says the vulnerability affects Toolbox users connecting with SSE under specification v2024-11-05. It also says NVD enrichment remains pending, while Google lists a CVSS 4.0 base score of 9.4.
The weakness maps to CWE-942, which covers permissive cross-domain policies with untrusted domains. In this case, the problem came from a wildcard Access-Control-Allow-Origin header that remained in the SSE initialization path.
How the attack can work
A likely attack starts when a victim visits a malicious website or views malicious browser content. The attacker then uses DNS rebinding techniques to make the browser interact with an internal MCP Toolbox server that should not accept requests from the attacker’s site.
The Model Context Protocol transport specification warns that servers must validate the Origin header to prevent DNS rebinding attacks. It also says local servers should bind only to localhost and should implement proper authentication for all connections.
Because the vulnerable SSE handler returned a wildcard origin header, the browser could treat the malicious site as allowed to interact with the endpoint. Depending on the tools exposed by the MCP server, that could let the attacker invoke database-related actions, read data, or perform operations through the victim’s local environment.
Why enterprise database connectors raise the risk
MCP Toolbox often sits close to sensitive systems because it acts as a bridge between AI clients and enterprise data sources. A developer or administrator may run it locally during development, while a team may deploy it inside a private network to support internal AI workflows.
The MCP Toolbox project supports a broad set of database and data platform integrations. That includes Google Cloud data sources and self-managed databases, which can make the impact very different from one deployment to another.
If the server exposes only harmless read-only tools, the damage may focus on data exposure. If it exposes write, query, admin, or automation tools, the same issue could support data manipulation or operational abuse. The severity depends on what the MCP server can do and which credentials it can use.
What developers fixed
The related GitHub pull request removed the hardcoded Access-Control-Allow-Origin header from the SSE handler. The PR notes that the issue affected users using SSE through MCP specification v2024-11-05.
The fix also added a regression test to check security behavior with allowedOrigin and allowedHost values. That matters because origin and host checks can fail silently if one handler overrides the broader server policy.
The MCP Toolbox changelog lists the fix under version 1.2.0, released on May 7, 2026. The entry specifically says the release removed the hardcoded wildcard allowed origin for SSE.
What security teams should check now
- Identify all MCP Toolbox deployments across developer machines, CI systems, staging networks, and production environments.
- Check whether any deployment still supports SSE connections under MCP specification v2024-11-05.
- Upgrade MCP Toolbox to a version that includes the PR #3054 fix, such as 1.2.0 or later.
- Review allowed-origins and allowed-hosts values and avoid wildcard settings in production.
- Bind local MCP servers to 127.0.0.1 instead of 0.0.0.0 unless a secure remote setup requires otherwise.
- Require authentication for MCP servers that expose sensitive tools or database actions.
- Review logs for unusual browser-originated requests to MCP endpoints.
The original security report said a malicious website could establish a connection to Toolbox, hijack session IDs, and execute arbitrary tools on behalf of the user. It also named data exfiltration from configured databases as a possible impact.
For many organizations, the immediate priority should be exposure mapping. Security teams need to know where Toolbox runs, which database credentials it can access, and whether any MCP endpoint can receive traffic from browsers or untrusted network zones.
Why CORS mistakes still lead to serious security issues
CORS headers often look like simple browser configuration, but they can become security-critical when an internal service exposes powerful APIs. A wildcard origin policy tells browsers that any website may read or interact with the resource, depending on the broader request flow.
This is why CWE-942 remains a serious issue for services that expose private data or privileged actions. A permissive cross-domain policy can let attacker-controlled web pages reach targets that users assumed were protected by network boundaries.
The MCP transport rules place special focus on Origin validation, localhost binding, and authentication because MCP servers can expose tools with real-world effects. Those controls matter even more when the tools connect to enterprise databases.
Practical mitigation checklist
| Priority | Action | Reason |
|---|---|---|
| High | Upgrade to a fixed MCP Toolbox build | Removes the hardcoded wildcard origin in the SSE handler |
| High | Disable unused SSE endpoints | Reduces attack surface for legacy MCP transport paths |
| High | Set trusted allowed origins and hosts | Blocks browser-based access from untrusted domains |
| Medium | Require authentication | Limits what a browser-originated request can do |
| Medium | Review database tool permissions | Limits damage if an MCP session gets abused |
The merged fix closed the specific hardcoded-header issue, but administrators still need to check their runtime settings. Secure defaults can only help if deployments run a patched build and avoid permissive origin or host configurations.
The 1.2.0 changelog gives teams a clear version marker for the fix. Organizations running older builds should update and then verify that sensitive database tools remain limited to trusted clients.
FAQ
CVE-2026-9739 is a critical DNS rebinding and CORS-related vulnerability in MCP Toolbox for Databases. It affects users connecting through SSE under the MCP v2024-11-05 specification.
The issue came from a hardcoded Access-Control-Allow-Origin: * header in the SSE handler. That wildcard header bypassed the intended global CORS policy and made origin restrictions ineffective for that endpoint.
Yes, depending on how MCP Toolbox is configured. If the server exposes database tools and credentials, attackers may be able to trigger those tools through a victim’s browser after a successful DNS rebinding attack.
Users are most at risk if they run MCP Toolbox with SSE enabled, use older vulnerable builds, expose the server on broad network interfaces, or allow database tools without strong authentication and strict origin checks.
Organizations should upgrade MCP Toolbox to a fixed version, disable unused SSE endpoints, restrict allowed origins and hosts to trusted values, bind local servers to localhost where possible, and require authentication for sensitive MCP tools.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages