CVE-2026-11719
Possible ATT&CK Techniques 2AI
T1078.004 · Cloud Accounts T1556.003 · Pluggable Authentication ModulesAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| MCP Toolbox for Databases (googleapis/mcp-toolbox) | 1.3.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-11719
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler).
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| MCP Toolbox for Databases (googleapis/mcp-toolbox) | 1.3.0 | - |
II. Public POCs for CVE-2026-11719
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-11719
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-11719 (2)
Same Patch Batch · Google · 2026-06-18 · 4 CVEs total
| CVE-2026-11718 | googleapis/mcp-toolbox令牌验证绕过漏洞 | |
| CVE-2026-11717 | Googleapis MCP Toolbox鉴权绕过漏洞 | |
| CVE-2026-28573 | Android持久拒绝服务漏洞 |
IV. Related Vulnerabilities
Same weakness: CWE-862
- CVE-2026-12119
Simple File List <= 6.3.7 - Missing Authorization to Authent - CVE-2026-11912
Simple File List <= 6.3.7 - Missing Authorization to Unauthe - CVE-2026-56213
Capgo - Unauthenticated Cross-Tenant Metrics Poisoning via u - CVE-2026-48582
Microsoft Exchange Online Elevation of Privilege Vulnerabili - CVE-2026-12238
WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Cre
V. Comments for CVE-2026-11719
No comments yet