MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *)

GHSA-hv2w-8mjj-jw22 · CVE-2026-34237

Published Mar 30, 2026 · Modified Jun 9, 2026

Description

Summary

Hardcoded Wildcard CORS (Access-Control-Allow-Origin: * )

Attack Scenario

An attacker-controlled web page instructs the victim's browser to open GET https://internal-mcp-server/sse. Because Access-Control-Allow-Origin: * allows cross-origin SSE reads, the attacker's page receives the endpoint event — which contains the session ID. The attacker can then POST to that endpoint from their page using the victim's browser as a relay.

Comparison with python-sdk

No Access-Control-Allow-Origin header is emitted by either Python transport. The browser's default same-origin policy remains in full effect.
https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/sse.py
https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py

Recommendation

In the SDK, the transport layer should not own CORS policy. Server implementors who need cross-origin access can add a CORS filter at the servlet filter or Spring Security layer.

Reference

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#access-control-allow-origin

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes