{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/java-sdk/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Java SDK","MCP Server"],"_cs_severities":["high"],"_cs_tags":["dns-rebinding","java-sdk","mcp","cve-2026-35568"],"_cs_type":"advisory","_cs_vendors":["Model Context Protocol"],"content_html":"\u003cp\u003eThe java-sdk contains a DNS rebinding vulnerability (CVE-2026-35568) affecting versions prior to 1.0.0. This vulnerability allows a remote attacker to bypass same-origin policy and access a locally or network-private java-sdk MCP (Model Context Protocol) server through a victim's web browser. By exploiting the lack of proper Origin header validation, an attacker can make unauthorized tool calls to the server as if they were a locally running MCP connected AI agent. This issue stems from the MCP server's failure to validate the Origin header on incoming connections, violating the MCP specification's security recommendations. Servers built using frameworks with embedded Origin header validation, such as Spring AI, are not vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious website designed to exploit the DNS rebinding vulnerability.\u003c/li\u003e\n\u003cli\u003eThe victim visits the attacker's malicious website in their web browser.\u003c/li\u003e\n\u003cli\u003eThe malicious website contains JavaScript code that attempts to connect to a locally running or private network java-sdk MCP server.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates DNS records to point the malicious domain to the victim's localhost (127.0.0.1) or a private network IP address where the MCP server is running.\u003c/li\u003e\n\u003cli\u003eThe victim's browser, unaware of the DNS manipulation, sends HTTP requests to the MCP server using the attacker's domain as the origin.\u003c/li\u003e\n\u003cli\u003eThe vulnerable java-sdk MCP server, lacking Origin header validation, accepts the requests as legitimate.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised connection to make arbitrary tool calls to the MCP server.\u003c/li\u003e\n\u003cli\u003eThe MCP server executes the attacker's tool calls, potentially leading to information disclosure, unauthorized actions, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary tool calls on the victim's local or private-network MCP server. This can lead to unauthorized access to sensitive data, manipulation of AI agents connected to the MCP server, or other malicious activities. The impact is significant because it allows bypassing intended security boundaries and gaining unauthorized control over local AI development environments. Any developer who interacts with a malicious website risks inadvertently granting the attacker access to their MCP server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eJavaSDKMCPOriginValidationBypass\u003c/code\u003e Sigma rule to detect potential attempts to exploit this vulnerability by monitoring HTTP requests to MCP servers without proper Origin headers.\u003c/li\u003e\n\u003cli\u003eImplement a reverse proxy (like Nginx or HAProxy) configured to strictly validate the \u003ccode\u003eHost\u003c/code\u003e and \u003ccode\u003eOrigin\u003c/code\u003e headers for MCP server traffic, as recommended in the advisory.\u003c/li\u003e\n\u003cli\u003eIf possible, migrate to version 1.0.0 or later of the \u003ccode\u003eio.modelcontextprotocol.sdk:mcp-core\u003c/code\u003e package to patch CVE-2026-35568.\u003c/li\u003e\n\u003cli\u003eConsider using frameworks with built-in CORS and Origin validation (such as Spring AI) when building MCP servers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-java-sdk-dns-rebinding/","summary":"A DNS rebinding vulnerability exists in java-sdk versions prior to 1.0.0, allowing an attacker to access a locally or network-private java-sdk MCP server via a victim's browser, potentially enabling unauthorized tool calls to the server.","title":"Java-SDK DNS Rebinding Vulnerability in MCP Server","url":"https://feed.craftedsignal.io/briefs/2024-01-java-sdk-dns-rebinding/"}],"language":"en","title":"CraftedSignal Threat Feed - Java-Sdk","version":"https://jsonfeed.org/version/1.1"}