CVE-2026-34742

high

Red Hat

CVSS v3 Base Score

8.0

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Characteristics

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Confidentiality

High

Integrity

High

Availability

None

Published: April 2, 2026 (41 days ago)

Last Modified: April 2, 2026

Vendor: Red Hat

Source: REDHAT

Description

A flaw was found in the Model Context Protocol (MCP) Go SDK. When an HTTP-based MCP server is run on localhost without authentication, a malicious website can exploit a DNS rebinding vulnerability. This allows the attacker to bypass same-origin policy restrictions and send requests to the local MCP server. Consequently, an attacker could invoke tools or access resources exposed by the MCP server on behalf of the user.

CWE

CWE-1188

Affected Products

Migration Toolkit for VirtualizationOpenShift LightspeedOpenShift ServerlessRed Hat OpenShift AI (RHOAI)Red Hat OpenShift Dev Spaces

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com

CVE-2026-34742

Vulnerability Report

Description

CWE

Affected Products

References