CVE-2026-34237

Summary

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 0.83.0, 1.0.1, and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 0.83.0, 1.0.1, and 1.1.1.

Affected Software

VendorProductVersion RangeStatus
modelcontextprotocoljava-sdk>= 1.0.0, < 1.0.1affected
modelcontextprotocoljava-sdk>= 1.1.0, < 1.1.1affected
modelcontextprotocoljava-sdk< 0.18.3affected

Weaknesses

  • CWE-942: CWE-942: Permissive Cross-domain Policy with Untrusted Domains

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References