Java-SDK DNS Rebinding Vulnerability in MCP Server
A DNS rebinding vulnerability exists in java-sdk versions prior to 1.0.0, allowing an attacker to access a locally or network-private java-sdk MCP server via a victim's browser, potentially enabling unauthorized tool calls to the server.
The java-sdk contains a DNS rebinding vulnerability (CVE-2026-35568) affecting versions prior to 1.0.0. This vulnerability allows a remote attacker to bypass same-origin policy and access a locally or network-private java-sdk MCP (Model Context Protocol) server through a victim's web browser. By exploiting the lack of proper Origin header validation, an attacker can make unauthorized tool calls to the server as if they were a locally running MCP connected AI agent. This issue stems from the MCP server's failure to validate the Origin header on incoming connections, violating the MCP specification's security recommendations. Servers built using frameworks with embedded Origin header validation, such as Spring AI, are not vulnerable.
Attack Chain
- Attacker crafts a malicious website designed to exploit the DNS rebinding vulnerability.
- The victim visits the attacker's malicious website in their web browser.
- The malicious website contains JavaScript code that attempts to connect to a locally running or private network java-sdk MCP server.
- The attacker manipulates DNS records to point the malicious domain to the victim's localhost (127.0.0.1) or a private network IP address where the MCP server is running.
- The victim's browser, unaware of the DNS manipulation, sends HTTP requests to the MCP server using the attacker's domain as the origin.
- The vulnerable java-sdk MCP server, lacking Origin header validation, accepts the requests as legitimate.
- The attacker uses the compromised connection to make arbitrary tool calls to the MCP server.
- The MCP server executes the attacker's tool calls, potentially leading to information disclosure, unauthorized actions, or denial of service.
Impact
Successful exploitation allows attackers to execute arbitrary tool calls on the victim's local or private-network MCP server. This can lead to unauthorized access to sensitive data, manipulation of AI agents connected to the MCP server, or other malicious activities. The impact is significant because it allows bypassing intended security boundaries and gaining unauthorized control over local AI development environments. Any developer who interacts with a malicious website risks inadvertently granting the attacker access to their MCP server.
Recommendation
- Deploy the
JavaSDKMCPOriginValidationBypassSigma rule to detect potential attempts to exploit this vulnerability by monitoring HTTP requests to MCP servers without proper Origin headers. - Implement a reverse proxy (like Nginx or HAProxy) configured to strictly validate the
HostandOriginheaders for MCP server traffic, as recommended in the advisory. - If possible, migrate to version 1.0.0 or later of the
io.modelcontextprotocol.sdk:mcp-corepackage to patch CVE-2026-35568. - Consider using frameworks with built-in CORS and Origin validation (such as Spring AI) when building MCP servers.
Detection coverage 2
Java-SDK MCP Origin Validation Bypass Attempt
highDetects HTTP requests to a Java-SDK MCP server where the Origin header is either missing or does not match the expected Host header, indicating a potential DNS rebinding attack.
Java-SDK MCP Server Tool Call Attempt via HTTP
mediumDetects HTTP requests to a Java-SDK MCP server attempting to execute tool calls.
Detection queries are available on the platform. Get full rules →