CVE-2026-42559HIGH 8.8EPSS p11.5%

CVE-2026-42559CVE-2026-42559

Description

RMCP is an official Rust SDK for the Model Context Protocol. Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP server running on the victim's loopback or private-network interface. This vulnerability is fixed in 1.4.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.21% probability of exploitation · percentile 11.5% · 2026-06-18T12:00:27Z
Published2026-05-14
Last modified2026-05-14

Underlying weaknesses· 2

CWE-346CWE-350

References

  1. https://github.com/modelcontextprotocol/rust-sdk/commit/8e22aa2de28df5a285eed87c11cd89bf15fa90d3
  2. https://github.com/modelcontextprotocol/rust-sdk/issues/815
  3. https://github.com/modelcontextprotocol/rust-sdk/issues/822
  4. https://github.com/modelcontextprotocol/rust-sdk/pull/764
  5. https://github.com/modelcontextprotocol/rust-sdk/security/advisories/GHSA-89vp-x53w-74fx

2

TypeTargetConfidenceTier
WeaknessOrigin Validation Errorcwe-3460%live
WeaknessReliance on Reverse DNS Resolution for a Security-Critical Actioncwe-3500%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66416
CVE
CVE-2026-34742
CVE
CVE-2025-66414
CVE
CVE-2026-35577
CVE
CVE-2025-64443
CVE
CVE-2025-6514
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.