{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/modelcontextprotocol/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["rmcp"],"_cs_severities":["high"],"_cs_tags":["dns-rebinding","vulnerability","rmcp","http","attack"],"_cs_type":"advisory","_cs_vendors":["modelcontextprotocol"],"content_html":"\u003cp\u003eThe \u003ccode\u003ermcp\u003c/code\u003e crate, a Rust SDK for the Model Context Protocol (MCP), contains a DNS rebinding vulnerability in its Streamable HTTP server transport. Prior to version 1.4.0, the server did not validate the \u003ccode\u003eHost\u003c/code\u003e header of incoming HTTP requests. This allows a remote attacker to bypass the Same-Origin Policy by exploiting DNS rebinding techniques. By convincing a victim to visit a malicious website, the attacker can make authenticated requests to an MCP server running on the victim\u0026rsquo;s loopback or private network interface. This can lead to the enumeration and invocation of tools exposed by the MCP server, potentially resulting in arbitrary code execution with the victim\u0026rsquo;s privileges. The vulnerability was patched in version 1.4.0 by introducing \u003ccode\u003eHost\u003c/code\u003e header validation with an allowlist.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker hosts a malicious website with a DNS name configured to perform DNS rebinding.\u003c/li\u003e\n\u003cli\u003eVictim visits the attacker\u0026rsquo;s website, initiating the DNS rebinding attack.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser resolves the attacker\u0026rsquo;s domain to a loopback IP address (e.g., 127.0.0.1) or a private network IP.\u003c/li\u003e\n\u003cli\u003eThe browser sends an HTTP request to the MCP server running on the victim\u0026rsquo;s machine, using the attacker\u0026rsquo;s malicious domain in the \u003ccode\u003eHost\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003ermcp\u003c/code\u003e server, lacking \u003ccode\u003eHost\u003c/code\u003e header validation prior to v1.4.0, accepts the request as if it originated from a trusted source.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s website sends authenticated requests to the MCP server, leveraging existing credentials or sessions.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates available tools and resources exposed by the MCP server.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes tools with malicious intent, potentially leading to file writes, shell execution, API calls, or other actions limited only by the server\u0026rsquo;s exposed functionalities, resulting in arbitrary code execution on the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to enumerate and invoke any tool exposed by a locally-running \u003ccode\u003ermcp\u003c/code\u003e-based MCP server, read resources and state accessible via the MCP session, and trigger side effects like file writes or shell execution. Given that MCP servers frequently run with user privileges and expose developer tooling, the practical impact can extend to arbitrary code execution on the victim\u0026rsquo;s machine. This vulnerability affects users running versions of the \u003ccode\u003ermcp\u003c/code\u003e crate prior to 1.4.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ermcp\u003c/code\u003e version 1.4.0 or later to incorporate the fix for CVE-2026-42559.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not feasible, implement a reverse proxy (e.g., nginx, Caddy) in front of the MCP server and configure it to validate the \u003ccode\u003eHost\u003c/code\u003e header, as outlined in the advisory under \u0026ldquo;Workarounds for Unpatched Users.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Host Header\u003c/code\u003e to identify potentially malicious requests targeting internal services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T00:00:00Z","date_published":"2026-05-07T00:00:00Z","id":"/briefs/2026-05-rmcp-dns-rebinding/","summary":"The `rmcp` crate before v1.4.0 is vulnerable to DNS rebinding attacks via the Streamable HTTP server transport due to missing Host header validation, potentially allowing arbitrary code execution on a victim's machine if they visit a malicious website.","title":"rmcp Streamable HTTP Server Transport DNS Rebinding Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-rmcp-dns-rebinding/"}],"language":"en","title":"CraftedSignal Threat Feed — Modelcontextprotocol","version":"https://jsonfeed.org/version/1.1"}