rustsec-2026-0189
Vulnerability from osv_rustsec
Published
2026-04-29 12:00
Modified
2026-06-30 07:16
Summary
DNS rebinding vulnerability in rmcp Streamable HTTP server transport
Details

Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport did not validate the incoming Host header.

This allowed a malicious public website, via a DNS rebinding attack, to send requests to an MCP server running on the victim's loopback or private-network interface.

An attacker who convinced a victim to visit a malicious page could enumerate and invoke tools exposed by a locally running rmcp-based MCP server, read resources and prompts, and trigger side effects limited by the tools exposed by that server.

Non-HTTP transports such as stdio and child-process transports are not affected.

Patches

The issue was fixed in rmcp 1.4.0 by adding default loopback-only host allowlist validation for the Streamable HTTP server transport. Incoming HTTP requests now validate the Host header and return HTTP 403 when the host is not allowed.

Users should upgrade to rmcp >= 1.4.0.

Workarounds

If upgrading is not possible, place the MCP server behind a reverse proxy configured to reject requests whose Host header is not one of the expected hostnames. Do not bind the MCP server to 0.0.0.0 without such validation.

Severity
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "rmcp",
        "purl": "pkg:cargo/rmcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2026-42559",
    "GHSA-89vp-x53w-74fx",
    "GHSA-fvh2-gm75-j4j7"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Prior to version 1.4.0, the `rmcp` crate\u0027s Streamable HTTP server transport did\nnot validate the incoming `Host` header.\n\nThis allowed a malicious public website, via a DNS rebinding attack, to send\nrequests to an MCP server running on the victim\u0027s loopback or private-network\ninterface.\n\nAn attacker who convinced a victim to visit a malicious page could enumerate and\ninvoke tools exposed by a locally running rmcp-based MCP server, read resources\nand prompts, and trigger side effects limited by the tools exposed by that\nserver.\n\nNon-HTTP transports such as stdio and child-process transports are not affected.\n\n## Patches\n\nThe issue was fixed in `rmcp` 1.4.0 by adding default loopback-only host\nallowlist validation for the Streamable HTTP server transport. Incoming HTTP\nrequests now validate the `Host` header and return HTTP 403 when the host is not\nallowed.\n\nUsers should upgrade to `rmcp \u003e= 1.4.0`.\n\n## Workarounds\n\nIf upgrading is not possible, place the MCP server behind a reverse proxy\nconfigured to reject requests whose `Host` header is not one of the expected\nhostnames. Do not bind the MCP server to `0.0.0.0` without such validation.",
  "id": "RUSTSEC-2026-0189",
  "modified": "2026-06-30T07:16:56Z",
  "published": "2026-04-29T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/rmcp"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0189.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/pull/764"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/815"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/modelcontextprotocol/rust-sdk/issues/822"
    },
    {
      "type": "WEB",
      "url": "https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#security-warning"
    }
  ],
  "related": [
    "GHSA-fvh2-gm75-j4j7",
    "RUSTSEC-2026-0140"
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DNS rebinding vulnerability in rmcp Streamable HTTP server transport"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.