CVE-2026-42559
HIGH
NVD
CVSS Score
8.8
Severity
HIGH
Published
May 14, 2026
Vendor
unknown
Description
RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.
References
- https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3
- https://github.com/modelcontextprotocol/rust-sdk/issues/815
- https://github.com/modelcontextprotocol/rust-sdk/issues/822
- https://github.com/modelcontextprotocol/rust-sdk/pull/764
- https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx