CVE-2026-35568 Overview
CVE-2026-35568 is a DNS rebinding vulnerability discovered in the MCP Java SDK, the official Java SDK for Model Context Protocol (MCP) servers and clients. Prior to version 1.0.0, the java-sdk contains a flaw that allows an attacker to access a locally or network-private MCP server via a victim's browser. This vulnerability enables attackers to make arbitrary tool calls to the server as if they were a locally running MCP-connected AI agent, potentially leading to unauthorized access and data manipulation.
Critical Impact
Attackers can bypass network segmentation and access private MCP servers through a victim's browser, enabling unauthorized tool execution with the privileges of a local AI agent.
Affected Products
- MCP Java SDK versions prior to 1.0.0
- Model Context Protocol servers using vulnerable java-sdk versions
- Applications integrating MCP Java SDK for AI agent communication
Discovery Timeline
- 2026-04-07 - CVE-2026-35568 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35568
Vulnerability Analysis
This vulnerability is classified under CWE-346 (Origin Validation Error), indicating that the MCP Java SDK fails to properly validate the origin of incoming requests. DNS rebinding attacks exploit the time-based nature of DNS resolution to bypass same-origin policy protections in web browsers.
When a victim visits a malicious website, the attacker's DNS server initially returns the attacker's IP address. After the page loads, the DNS TTL expires, and the attacker's DNS server returns the internal IP address of the victim's MCP server. The browser, believing it's still communicating with the original domain, sends requests to the internal MCP server. Since the java-sdk does not properly validate the Host header or implement origin checking, these requests are processed as legitimate.
The attack requires network access and user interaction (visiting a malicious page), but once initiated, can lead to complete compromise of confidentiality and integrity of the MCP server's data and operations.
Root Cause
The root cause of this vulnerability is the absence of proper Host header validation and origin checking in the MCP Java SDK's HTTP server implementation. The SDK accepts requests from any origin without verifying that the Host header matches expected values for legitimate local or network connections. This design oversight allows DNS rebinding attacks to succeed, as the browser's requests appear to come from the attacker's domain but are actually routed to the internal MCP server.
Attack Vector
The attack leverages network-based access through a victim's web browser. An attacker hosts a malicious website that performs DNS rebinding, gradually pivoting the browser's connection from the attacker's server to the victim's internal MCP server. Once the rebinding is complete, the attacker can execute JavaScript that sends API requests to the MCP server, invoking any available tool with the full privileges of a locally connected AI agent.
The attack scenario requires:
- The victim to visit a malicious website while connected to a network with an MCP server
- The MCP server to be accessible from the victim's machine (localhost or local network)
- The MCP Java SDK version to be prior to 1.0.0
The vulnerability mechanism involves improper origin validation in the HTTP request handling. When the MCP Java SDK server receives incoming requests, it fails to verify that the Host header corresponds to expected local or trusted origins. This allows DNS rebinding attacks where an attacker-controlled domain initially resolves to the attacker's server, then switches to resolve to the victim's internal MCP server address. The browser, still associating the requests with the attacker's domain, sends them to the internal server which processes them without proper origin checking. For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-35568
Indicators of Compromise
- Unusual DNS query patterns with rapidly changing TTL values for suspicious domains
- HTTP requests to MCP server endpoints with mismatched or external Host headers
- Browser-originated requests to localhost or internal network addresses from external web pages
- Unexpected tool invocations on MCP servers that don't correlate with legitimate AI agent activity
Detection Strategies
- Implement Host header validation monitoring to detect requests with unexpected or external domain Host headers
- Monitor DNS resolution patterns for short TTL records that could indicate rebinding attempts
- Deploy web application firewalls with rules to detect and block DNS rebinding attack patterns
- Log and alert on MCP tool calls that originate from browser contexts rather than expected AI agent connections
Monitoring Recommendations
- Enable detailed access logging on all MCP server instances to capture Host headers and request origins
- Implement network-level monitoring for connections to MCP server ports from unexpected sources
- Configure security information and event management (SIEM) rules to correlate DNS queries with subsequent internal service access
- Monitor for the deployment of vulnerable MCP Java SDK versions (prior to 1.0.0) in your environment
How to Mitigate CVE-2026-35568
Immediate Actions Required
- Upgrade MCP Java SDK to version 1.0.0 or later immediately
- Audit all applications using MCP Java SDK to identify vulnerable deployments
- Restrict MCP server access to trusted IP addresses using firewall rules
- Implement network segmentation to isolate MCP servers from general browsing traffic
Patch Information
The vulnerability is fixed in MCP Java SDK version 1.0.0. Organizations should upgrade to this version or later to remediate the DNS rebinding vulnerability. The fix implements proper Host header validation and origin checking to prevent unauthorized cross-origin requests from being processed.
For detailed release information, see the GitHub Release Notes. The GitHub Security Advisory provides additional technical context about the vulnerability and remediation.
Workarounds
- Configure web application firewalls to block requests with mismatched Host headers targeting MCP server endpoints
- Implement reverse proxy configurations that validate Host headers before forwarding to MCP servers
- Use network-level access controls to restrict MCP server access to specific trusted hosts only
- Consider running MCP servers in isolated network segments that are not accessible from workstations with browser access
# Example firewall rule to restrict MCP server access to trusted hosts
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
