CVE-2026-42559
Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
14/05/2026
Última modificación:
14/05/2026
Descripción
*** Pendiente de traducción *** RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.
Impacto
Puntuación base 3.x
8.80
Gravedad 3.x
ALTA
Referencias a soluciones, herramientas e información
- https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3
- https://github.com/modelcontextprotocol/rust-sdk/issues/815
- https://github.com/modelcontextprotocol/rust-sdk/issues/822
- https://github.com/modelcontextprotocol/rust-sdk/pull/764
- https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx