CVE-2026-34237

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-34237
MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 1.0.1 and 1.1.1, there is a hardcoded wildcard CORS vulnerability. This issue has been patched in versions 1.0.1 and 1.1.1.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289 Patch
https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525 Patch
https://github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-8mjj-jw22 Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:lfprojects:mcp_java_sdk:*:*:*:*:*:*:*:*
cpe:2.3:a:lfprojects:mcp_java_sdk:1.1.0:*:*:*:*:*:*:*
History

03 Apr 2026, 14:29

Type Values Removed Values Added
CPE cpe:2.3:a:lfprojects:mcp_java_sdk:*:*:*:*:*:*:*:*
cpe:2.3:a:lfprojects:mcp_java_sdk:1.1.0:*:*:*:*:*:*:*
References () https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289 - () https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletSseServerTransportProvider.java#L289 - Patch
References () https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525 - () https://github.com/modelcontextprotocol/java-sdk/blob/main/mcp-core/src/main/java/io/modelcontextprotocol/server/transport/HttpServletStreamableServerTransportProvider.java#L525 - Patch
References () https://github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-8mjj-jw22 - () https://github.com/modelcontextprotocol/java-sdk/security/advisories/GHSA-hv2w-8mjj-jw22 - Mitigation, Vendor Advisory
First Time Lfprojects mcp Java Sdk
Lfprojects

31 Mar 2026, 16:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-31 16:16

Updated : 2026-04-03 14:29

NVD link : CVE-2026-34237

Mitre link : CVE-2026-34237

CVE.ORG link : CVE-2026-34237

JSON object : View

Products Affected

lfprojects

  • mcp_java_sdk
CWE
CWE-942

Permissive Cross-domain Policy with Untrusted Domains