MCP Java SDK, Hardcoded Wildcard CORS, Moderate severity

By /

Listen to this Post

How the mentioned CVE works

The MCP Java SDK’s SSE transport layer includes a hardcoded `Access-Control-Allow-Origin: ` header in its HTTP responses. This instructs browsers to allow any origin to read the response, bypassing the same-origin policy. An attacker hosts a malicious web page that, when visited by a victim, triggers a cross-origin GET request to the internal MCP server’s SSE endpoint (/sse). Because the wildcard CORS header is present, the victim’s browser returns the SSE response—containing the session ID—to the attacker’s script. The attacker then uses the victim’s browser as a relay to POST requests to that session endpoint, effectively gaining unauthorized access to the MCP session. The issue affects versions before 1.0.0 and version 1.1.0; it was fixed in 1.0.1 and 1.1.1. In contrast, the Python SDK does not emit CORS headers, leaving the browser’s default same-origin policy intact. The root cause is placing CORS policy inside the SDK transport instead of delegating it to the application layer.

dailycve form

Platform: MCP Java SDK
Version: <1.0.0, =1.1.0
Vulnerability: Hardcoded Wildcard CORS
Severity: Moderate
date: Mar 30 2026

Prediction: Already patched (1.0.1)

Analytics under What Undercode Say:

Check for wildcard CORS header on SSE endpoint
curl -v -H "Origin: https://evil.com" http://target-mcp-server/sse 2>&1 | grep -i "access-control-allow-origin"
Quick test using JavaScript (run in browser console)
fetch('http://target-mcp-server/sse', { mode: 'cors' })
.then(res => console.log(res.headers.get('Access-Control-Allow-Origin')))
.catch(e => console.log(e));

Sample Nginx filter to block wildcard CORS if not yet patched
location /sse {
more_set_headers "Access-Control-Allow-Origin: null";
proxy_pass http://mcp-backend;
}

How Exploit:

  1. Attacker creates a webpage with script that sends a `GET` request to `https://internal-mcp-server/sse`.
  2. Victim visits attacker’s page; browser sends the cross-origin request.
  3. Server responds with `Access-Control-Allow-Origin: ` and the SSE event containing the session ID.
  4. Attacker’s script reads the session ID from the response.
  5. Using the same victim’s browser (still authenticated), attacker POSTs to the session endpoint, executing arbitrary MCP operations.

Protection from this CVE

  • Upgrade to MCP Java SDK version 1.0.1 or 1.1.1.
  • If upgrade is not possible, override the CORS header at the servlet filter or reverse proxy level (e.g., strip `Access-Control-Allow-Origin` or set a strict origin).
  • Ensure the transport layer no longer controls CORS; apply CORS rules in application middleware (Spring Security, servlet filters) with a whitelist of trusted origins.

Impact

An attacker can hijack an active MCP session by exfiltrating the session ID via the victim’s browser. This allows unauthorized access to MCP capabilities (e.g., reading/writing resources, invoking tools) with the victim’s permissions, leading to data leakage, privilege abuse, and potential lateral movement within internal networks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top